Does the Authenticator need to use a signature counter? A signature counter is a number the Authenticator stores and is increased by some positive value every time the Authenticator is used to authenticate. The purpose of this feature is to help SKFS in detecting clone Authenticators. It does this by storing its own instance of the signature counter and compares it to the Authenticator’s signatures counter upon any authentication action. The Authenticator’s counter must be higher than SKFS’s counter; otherwise a cloned Authenticator may have been used.

Allowed values:

• mandatory: The Authenticator must have a counter. This will guarantee the added security of having a counter but it will restrict the number of Authenticator models that can be used. By definition most Authenticator should support using a counter so this option will still allow a majority of Authenticators models.
• optional: Allowed to not have a counter, but not required. This option will not restrict the breadth of accepted Authenticator models in any way. It will allow both Authenticators that support counters and those that do not. If an Authenticator supports a signature counter than one will be used.