Sign counters were stored but never checked, so a cloned authenticator or a
replayed assertion with an equal/lower counter was accepted. Reject the
authentication when the presented counter does not exceed the stored one,
while allowing counter-less/synced passkeys that always report 0.
Refs: porchlight-3cr
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
