WebUSB API and PC/SC Smart Card readers

About

Asked 1/3, 2021 at 10:17 Answered 10/3, 2021 at 18:57

Is it within the scope of the WebUSB API (drafted there) to be able to use PC/SC devices such as Smart Card readers, perhaps under the assumption they are CCID-compliant (many are close to that and do work with a generic driver)?

If yes, is there any proof-of-concept code showing how, and with what modern browser and reader combination can it run?

This is a followup to this 2013 question. I'm trying to find the status of the WebUSB API solution proposed in this answer.

Iroquois answered 1/3, 2021 at 10:17 Comment(4)

I'm also trying to find out about this particular method. I will do some testing those next days – Setback 3/3, 2021 at 9:37

On the same boat. It sad that it so strictly denied. I can image possibility that in some cases could the user take responsibility for the action. Until now I didn’t find any solution to enable access to the SC reader. Tried zadig to emulate enabled card driver with chrome://flags/#new-usb-backend. Should be enabled just some of the SC reader webusbAuth. – Stanleigh 11/3, 2021 at 7:36

Did you find any thing reagarding this – Eulalie 23/8, 2021 at 10:54

@Kumar: No. I keep using an in-house ActiveX, that still works under Edge in compatibility mode. – Iroquois 23/8, 2021 at 11:15

Connecting to smart card readers is outside the scope of the WebUSB API. The reason for this is that the security properties of smart cards make it inappropriate to allow arbitrary code to access them. There is too great a risk of phishing attacks.

The WebAuthn API has built-in protections against this type of attack and is the preferred method to interface with security hardware.

Venepuncture answered 10/3, 2021 at 18:57 Comment(2)

I get it, and it makes a lot of sense for many applications, including any where the Smart Card is used as a "key ring". Problem comes when we'd want to run an application that needs more fine-grained control. Two examples: reloading a Navigo card, downloading a tachograph card. This requires APDU-level control, or best even lower (CCID). – Iroquois 10/3, 2021 at 19:8

The reason for this is that the security Unfortunately this is often used like a get out of jail card reason. Like pointed out by @Iroquois , smart card technology is more than just security authentication. And again even if it wasn't the security argument is totally false, there are ways to mitigate risk, in the same way as stopping random websites accessing your video camera. – Caught 15/7 at 10:48

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags