I have no idea how Ledger gets around this. It always has to be greater (by 1 or more than one) than the last successful login. If you cloned a Yubikey and then used the master 10 times, when you went to use the backup it would fail because the usage counter would now be behind the last value seen by the website. One is that there is a counter, typically per device but theoretically it could be per account, that increments each time an action is preformed. The original FIDO U2F has inherent mechanisms to prevent cloning.
0 Comments
Leave a Reply. |