The signature counter is a way to ‘aid a relying party to detect cloned authenticators’. Technically, the signature count from the authenticator only needs to be greater than the one stored. So you can leave the signature count at 0 if you do not want to keep updating that through the storage API (and forgo one mechanism to help detect cloned authenticators).
If authData.signCount is greater than storedSignCount:
Update storedSignCount to be the value of authData.signCount.
less than or equal to storedSignCount:
This is a signal that the authenticator may be cloned, i.e. at least two copies of the credential private key may exist and are being used in parallel. Relying Parties should incorporate this information into their risk scoring. Whether the Relying Party updates storedSignCount in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific.
By default, we will try keeping this up to date, but we could also include an option to disable the signature count update if this is desirable under the right circumstances. If disabled, only registration events would write information to the storage service.
The signature counter is a way to ‘aid a relying party to detect cloned authenticators’. Technically, the signature count from the authenticator only needs to be greater than the one stored. So you can leave the signature count at 0 if you do not want to keep updating that through the storage API (and forgo one mechanism to help detect cloned authenticators).
If authData.signCount is greater than storedSignCount: Update storedSignCount to be the value of authData.signCount. less than or equal to storedSignCount: This is a signal that the authenticator may be cloned, i.e. at least two copies of the credential private key may exist and are being used in parallel. Relying Parties should incorporate this information into their risk scoring. Whether the Relying Party updates storedSignCount in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific.By default, we will try keeping this up to date, but we could also include an option to disable the signature count update if this is desirable under the right circumstances. If disabled, only registration events would write information to the storage service.