4

Is it within the scope of the WebUSB API (drafted there) to be able to use PC/SC devices such as Smart Card readers, perhaps under the assumption they are CCID-compliant (many are close to that and do work with a generic driver)?

If yes, is there any proof-of-concept code showing how, and with what modern browser and reader combination can it run?

This is a followup to this 2013 question. I'm trying to find the status of the WebUSB API solution proposed in this answer.

fgrieu
  • 2,724
  • 1
  • 23
  • 53
  • 1
    I'm also trying to find out about this particular method. I will do some testing those next days – CheshireChild Mar 03 '21 at 09:37
  • 1
    On the same boat. It sad that it so strictly denied. I can image possibility that in some cases could the user take responsibility for the action. Until now I didn’t find any solution to enable access to the SC reader. Tried [zadig](http://zadig.akeo.ie/) to emulate enabled card driver with `chrome://flags/#new-usb-backend`. Should be enabled just some of the SC reader [webusbAuth](https://github.com/jbirkholz/webusbAuth). – kubo Mar 11 '21 at 07:36
  • Did you find any thing reagarding this – Kumar Aug 23 '21 at 10:54
  • @Kumar: No. I keep using an in-house ActiveX, that still works under Edge in compatibility mode. – fgrieu Aug 23 '21 at 11:15

1 Answers1

3

Connecting to smart card readers is outside the scope of the WebUSB API. The reason for this is that the security properties of smart cards make it inappropriate to allow arbitrary code to access them. There is too great a risk of phishing attacks.

The WebAuthn API has built-in protections against this type of attack and is the preferred method to interface with security hardware.

Reilly Grant
  • 5,590
  • 1
  • 13
  • 23
  • 3
    I get it, and it makes a lot of sense for many applications, including any where the Smart Card is used as a "key ring". Problem comes when we'd want to run an application that needs more fine-grained control. Two examples: reloading a [Navigo card](https://en.wikipedia.org/wiki/Navigo_card), downloading a [tachograph card](https://en.wikipedia.org/wiki/Digital_tachograph). This requires [APDU](https://en.wikipedia.org/wiki/Smart_card_application_protocol_data_unit)-level control, or best even lower (CCID). – fgrieu Mar 10 '21 at 19:08