The right way to use YubiKey as an authenticator

[yilanboy]

Hi!

First, I want to thank this project, I use this project to implement the passkey login in my blog repo.

But I have a question, I find that default counter check won't accept my YubiKey as an authenticator.

I have to create a custom counter check and update the check rule. The default rule is...

$currentCounter > $publicKeyCredentialSource->getCounter()

I find in YubiKey, current counter will always equal to credential source counter, if I want to use YubiKey as an authenticator, I must change the rule to...

$currentCounter >= $publicKeyCredentialSource->getCounter()

But I think this might break the purpose of counter check, I'm really confusing about the mechanism behind it.

Is there anyone can tell me I was wrong in something?

[Spomky]

Hi,

This is a really strange behavior. I have several YubiKeys and have never encountered this issue.
According to the Yubikey documentation, the signature counter is incremented each time a signature is issued.

My assumption is that this is most likely a storage or update-flow issue.
Could you share more details about how the credential data is persisted and how the counter comparison is performed? In particular, at which point do you update the stored counter relative to the verification step?

[yilanboy]

Thanks for your reply!

Now I know my approach is not good for security. I will remove my custom counter.

Let me dig in the issue and try to provide more information.

Thanks!

[yilanboy]

I don't know what happened, but I can register my Yubikey now.

packages information:

web-auth/webauthn-lib: 5.2.3
@simplewebauthn/browser: 13.2.2

Register code:

try {
    $publicKeyCredential = $serializer->fromJson($data['passkey'], PublicKeyCredential::class);

    if (! $publicKeyCredential->response instanceof AuthenticatorAttestationResponse) {
        $this->dispatch('toast', status: 'danger', message: 'Invalid passkey');

        return;
    }

    $options = Session::get('passkey-registration-options');

    if (! $options) {
        $this->dispatch('toast', status: 'danger', message: 'Invalid passkey');

        return;
    }

    $publicKeyCredentialCreationOptions = $serializer->fromJson($options,
        PublicKeyCredentialCreationOptions::class);

    $csmFactory = new CeremonyStepManagerFactory();
    $creationCSM = $csmFactory->creationCeremony();

    $publicKeyCredentialSource = AuthenticatorAttestationResponseValidator::create($creationCSM)
        ->check(
            authenticatorAttestationResponse: $publicKeyCredential->response,
            publicKeyCredentialCreationOptions: $publicKeyCredentialCreationOptions,
            host: request()->getHost()
        );
} catch (Throwable) {
    $this->dispatch('toast', status: 'danger', message: 'Invalid passkey');

    return;
}

passkeys table schema:

create table main.passkeys
(
    id            integer not null
        primary key autoincrement,
    owner_id      integer not null,
    name          text    not null,
    credential_id text    not null,
    data          text    not null,
    last_used_at  datetime,
    created_at    datetime,
    updated_at    datetime,
    owner_type    varchar not null
);

What I store in data column, I can see there is a counter data:

{
  "publicKeyCredentialId": "...",
  "type": "public-key",
  "transports": ["usb"],
  "attestationType": "none",
  "trustPath": [],
  "aaguid": "00000000-0000-0000-0000-000000000000",
  "credentialPublicKey": "...",
  "userHandle": "MQ",
  "counter": 2,
  "backupEligible": false,
  "backupStatus": false,
  "uvInitialized": true
}

I didn't change anything, just remove the custom counter for security, can't tell why I can register my yubikey now...