{"id":"ac65322c-ff36-45ea-a212-89e94f6ea38b","task":"Implement signature counter clone detection to identify cloned authenticators","domain":"w3.org","steps":["During WebAuthn authentication verification, parse the signCount from authenticatorData (bytes 33–36, big-endian uint32).","After verifying the assertion signature, compare the returned signCount with the stored signCount for that credential.","If the returned signCount is greater than the stored count, update the stored count — this is the normal path.","If both the returned signCount and the stored count are 0, the authenticator does not implement a counter (common with some platform authenticators and synced passkeys); skip the check.","If the returned signCount is less than or equal to the stored count (and the stored count is non-zero), this is a potential clone indicator — log a security event, optionally block the authentication, and notify the user to re-enroll."],"gotchas":["Synced passkeys (iCloud Keychain, Google Password Manager) intentionally do not increment the sign counter across devices — all clones share the same counter value — so counter-based clone detection produces false positives for synced credentials; suppress the check or use a per-device credential model.","The spec permits (but does not require) servers to reject on counter regression; choose a policy that matches your threat model — automatic rejection may lock users out due to synced passkeys.","Store the signCount atomically with the authentication result; a race condition where two parallel assertions both read the same stored count will allow replay if not handled with a compare-and-swap."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:23.292Z"},"url":"https://mcp.waymark.network/r/ac65322c-ff36-45ea-a212-89e94f6ea38b"}