Webauthn Framework
v3.3
v1.xv2.xv3.0v3.3v4.0v4.5v4.7v4.8v4.9v5.0v5.1v5.2
v3.3
v1.xv2.xv3.0v3.3v4.0v4.5v4.7v4.8v4.9v5.0v5.1v5.2
  • Introduction
  • Web Browser Support
  • Installation
  • Contributing
  • Webauthn In A Nutshell
    • Authenticators
    • Ceremonies
  • Pre-requisites
    • The Relying Party
    • Credential Source Repository
    • User Entity
    • Javascript
    • Easy or Hard Way?
  • The Webauthn Server
    • The Easy Way
      • Register Authenticators
      • Authenticate Your Users
    • The Hard Way
      • Register Authenticators
      • Authenticate Your Users
    • The Symfony Way
      • Entities with Doctrine
      • Firewall
  • Deep into the framework
    • Register Additional Authenticators
    • Debugging
    • User Verification
    • Attestation and Metadata Statement
    • Authenticator Selection Criteria
    • Authentication without username
    • Extensions
    • Token Binding
    • Authenticator Counter
    • Dealing with “localhost”
  • Migration
    • From v2.x to v3.0
Powered by GitBook
On this page
  • The Easy Way
  • The Hard Way
  • The Symfony Way

Was this helpful?

Edit on GitHub
Export as PDF
  1. Deep into the framework

Authenticator Counter

The authenticators may have an internal counter. This feature is very helpful to detect cloned devices.

The default behaviour is to reject the assertions. This behaviour might cause some troubles as it could reject the real device whilst the fake one can continue to be used.

It is therefore required to go deeper in the protection of your application by logging the error and locking the associated account.

To do so , you have to create a custom Counter Checker and inject it to your Authenticator Assertion Response Validator. The checker must implement the interface Webauthn\Counter\CounterChecker.

<?php

declare(strict_types=1);


namespace App\Service;

use App\SecuritySystem;
use Assert\Assertion;
use Throwable;
use Webauthn\PublicKeyCredentialSource;

final class CustomCounterChecker implements CounterChecker
{
    private $securitySystem;

    public function __construct(SecuritySystem $securitySystem)
    {
        $this->securitySystem = $securitySystem ;
    }

    public function check(PublicKeyCredentialSource $publicKeyCredentialSource, int $currentCounter): void
    {
        try {
            Assertion::greaterThan($currentCounter, $publicKeyCredentialSource->getCounter(), 'Invalid counter.');
        } catch (Throwable $throwable) {
            $this->securitySystem->fakeDeviceDetected($publicKeyCredentialSource);
            throw $throwable;
        }
    }
}

The Easy Way

<?php

use Webauthn\Server;

$server = new Server(
    $rpEntity
    $publicKeyCredentialSourceRepository
);

// Set your handler here
$server->setCounterChecker(new CustomCounterChecker());

The Hard Way

$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
    $publicKeyCredentialSourceRepository,
    $tokenBindingHandler,
    $extensionOutputCheckerHandler,
    $coseAlgorithmManager,
    new CustomCounterChecker()
);

The Symfony Way

config/packages/webauthn.yaml
webauthn:
    counter_checker: App\Service\CustomCounterChecker
PreviousToken BindingNextDealing with “localhost”

Last updated 3 years ago

Was this helpful?