Probably a naive question, but: if the passkey is synchronised between multiple devices, doesn't it just trivially render the signCount useless?
Say I have a passkey shared between my laptop and my smartphone. When I log in with the smartphone, the signCount is incremented and the new value is synchronised with the laptop, as suggested in the article.
Now say my passkey is compromised, and an attacker logs in from somewhere else. Won't the signCount just be incremented and synchronised with the smartphone and the laptop? How does signCount prevent that?
You made a good point, esp. if your passkey vault is comprosed, e.g. Apple iCloud's credentials are leaked. signCount, incremented or not, would not help here in informing you of your hacked iCloud account – that would be dependent on iCloud's service itself for detecting and informing you of your compromised account.
I would still like to see big tech passkey providers implement signCount for the following 2 reasons:
1. It helps to push relying parties to implement signCount verification. Right now most relying parties do not implement it as many providers are returning `0` for `signCount`.
2. This would be an odd one, it helps against detecting leaked private keys of passkeys, if a malicious attacker, internal or external, manages to obtain the private key.
I'm a bit confused: how does signCount ever bring security in a shared-passkey scenario?
The only way I can see it be useful is if you have exactly one instance of the passkey (e.g. a security key), because if `signCount` got incremented without the security key being aware of it, then you have a problem.
Readit News
Say I have a passkey shared between my laptop and my smartphone. When I log in with the smartphone, the signCount is incremented and the new value is synchronised with the laptop, as suggested in the article.
Now say my passkey is compromised, and an attacker logs in from somewhere else. Won't the signCount just be incremented and synchronised with the smartphone and the laptop? How does signCount prevent that?
I would still like to see big tech passkey providers implement signCount for the following 2 reasons:
1. It helps to push relying parties to implement signCount verification. Right now most relying parties do not implement it as many providers are returning `0` for `signCount`.
2. This would be an odd one, it helps against detecting leaked private keys of passkeys, if a malicious attacker, internal or external, manages to obtain the private key.
The only way I can see it be useful is if you have exactly one instance of the passkey (e.g. a security key), because if `signCount` got incremented without the security key being aware of it, then you have a problem.
Why would you sync a passkey, rather than create a separate one for each device? Seems risky if it's compromised?
But I was assuming that the TooBigTech implementation was somehow sharing the passkeys?