How do u2f devices manage to not go out of sync?

Question

U2F devices store an internal counter to resolve a challenge and the counter value is sent back to the server (source).

I think the counters on the server and on the client must go out of sync from time to time, the internet connection just needs to stop working after the client got the challenge from the server. If this is the case then the server can't know whether the client activated the u2f device or not and the u2f device does not know whether the client successfully sent the response back to the server.

How is this synchronization problem solved? If the server presents a counter that is lower than current the u2f counter, does the u2f token still accept the challenge?

score 1 · Accepted Answer · answered Jul 13 '21 at 16:25

1

The server's only expectation for the counter is "greater than the last counter sent by this device". It's intended only as a defense against cloning or replay attacks. There's no requirement that the counter be some specific value.

answered Jul 13 '21 at 16:25

tjd

755
4
6

How do u2f devices manage to not go out of sync?

1 Answers1