Support for validating signature counter? #261
Description
See https://www.w3.org/TR/webauthn/#signature-counter
The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and subsequent values are returned to the WebAuthn Relying Party within the authenticator data again. The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators. Clone detection is more important for authenticators with limited protection measures.
A Relying Party stores the signature counter of the most recent authenticatorGetAssertion operation. (Or the counter from the authenticatorMakeCredential operation if no authenticatorGetAssertion has ever been performed on a credential.) In subsequent authenticatorGetAssertion operations, the Relying Party compares the stored signature counter value with the new signCount value returned in the assertion’s authenticator data. If either is non-zero, and the new signCount value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
This could be implemented by adding AttestedCredentialData.sign_count: int and checking it in Fido2Server.authenticate_complete(). For backwards compatibility, the default value could be None.
In addition to that, the application would have to store the new count for the chosen credential, so AuthenticatorData.counter needs to be communicated back to the caller. Currently, only the credential is returned from authenticate_complete(). A simple option would be to set cred.sign_count = auth_data.counter. However, AttestedCredentialData is a frozen dataclass, so it cannot be modified.
However, I am not 100% sure this is even relevant. Multi-device credentials are gaining popularity. And it is also not clear how applications should react when they encounter a non-monotonic signature count. For further discussion, see https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html#signature-counters
What do you think about this?