w3c
Virtual authenticator should allow `counter` to always be `0`
Proposed Change
It doesn't seem possible today, with the currently defined WebAuthn virtual authenticator API, to emulate use of synced passkey credential managers. The authenticator data signCount always increments in authentication responses. This makes it impossible to use the virtual authenticators to test scenarios in which signCount is always 0 in auth responses.
Poking around the spec, it's possible to set an initial sign count when you add a credential to a virtual authenticator:
https://w3c.github.io/webauthn/#sctn-automation-add-credential
However this signCount always increments in subsequent authentications. If an RP backend keeps track of the counter, a test script that wants to automate the instantiation of a virtual authenticator and its credential would need to query the backend for its current signCount for that credential, or subsequent auth responses from the authenticator would have a signCount lower than what's in the DB, and the response would get rejected.
Maybe we can expand the Set Credential Properties endpoint to enable a credential response to always return with a signCount of 0 🤔
I'd like to talk about how we might enhance the virtual authenticator API to allow for better emulation of synced passkey providers.
That seems reasonable, only addition would be that we might want to support other values, but 0 would be a good place to start.
That seems reasonable, only addition would be that we might want to support other values, but 0 would be a good place to start.
This is a good idea, let's make it possible to set any positive numeric sign count to support more intentional testing of counter scenarios.