Authenticator Counter

Search…
The authenticators may have an internal counter. This feature is very helpful to detect cloned devices.
The default behaviour is to reject the assertions. This might cause some troubles as it could reject the real device whilst the fake one can continue to be used. You may also want to log the error, warn administrators or lock the associated user account.
To do so , you have to create a custom Counter Checker and inject it to your Authenticator Assertion Response Validator. The checker must implement the interface Webauthn\Counter\CounterChecker.
config/packages/webauthn.yaml
1
webauthn:
2
    counter_checker: App\Service\CustomCounterChecker
Copied!
The following example is fictive and show how to lock a user, log the error and throw an exception.
1
<?php
2
​
3
declare(strict_types=1);
4
​
5
namespace Acme\Service;
6
​
7
use Assert\Assertion;
8
use Psr\Log\LoggerInterface;
9
use Psr\Log\NullLogger;
10
use Throwable;
11
use Webauthn\PublicKeyCredentialSource;
12
​
13
final class CustomCounterChecker implements CounterChecker
14
{
15
    public function __construct(private UserRepository $userRepository)
16
    {
17
    }
18
​
19
    public function check(PublicKeyCredentialSource $publicKeyCredentialSource, int $currentCounter): void
20
    {
21
        if ($currentCounter > $publicKeyCredentialSource->getCounter()) {
22
            return;
23
        }
24
        
25
        $userId = $publicKeyCredentialSource->getUserHandle();
26
        $user = $this->userRepository->lockUserWithId($userId);
27
        $this->logger->error('The counter is invalid', [
28
            'current' => $currentCounter,
29
            'new' => $publicKeyCredentialSource->getCounter(),
30
        ]);
31
        throw new CustomSecurityException('Invalid counter. User is now locked.');
32
    }
33
}
Copied!
Token Binding
Dealing with “localhost”
Last modified 2mo ago
Export as PDF
Copy link
Edit on GitHub