diff --git a/src/Attestation/AuthenticatorData.php b/src/Attestation/AuthenticatorData.php
index 83462b1..a73d195 100644
--- a/src/Attestation/AuthenticatorData.php
+++ b/src/Attestation/AuthenticatorData.php
@@ -281,6 +281,12 @@ private function _readFlags($binFlag) {
         $flags->isBackup = $flags->bit_4;
         $flags->attestedDataIncluded = $flags->bit_6;
         $flags->extensionDataIncluded = $flags->bit_7;
+
+        // Backup State (BS) requires Backup Eligible (BE) per spec.
+        if ($flags->isBackup && !$flags->isBackupEligible) {
+            throw new WebAuthnException('invalid backup flags: BS without BE', WebAuthnException::INVALID_DATA);
+        }
+
         return $flags;
     }