Advanced Topics

Challenge Expiration

It is good practice to treat challenges older than X minutes as expired.

Device counters

U2F devices sends an incrementing counter to the server upon authentication. The U2F library uses this counter to prevent the use of cloned devices. For this protection to work, you have to persist the device info after each authentication. However, all U2F compatible devices by Yubico uses tamper-resistant Secure Elements designed to be impossible to clone.

Handling counter errors

If a the counter ever decrements, the device has been cloned. The best way to handle this depends on the application. You might want to alert the user or lock their account.