Details
Google Chrome has an API which allows the access to connected USB devices from the browse
Do not allow any site to request access to USB devices via the WebUSB API (2)
Allow sites to ask the user to grant access to a connected USB device (3)
The recommended state for this setting is: Enabled with a value of Do not allow any site to request access to USB devices via the WebUSB API (2)
Rationale:
WebUSB is opening the doors for sophisticated phishing attacks that could bypass hardware-based two-factor authentication devices (e.g. Yubikey devices).
Impact:
If this setting is configured, websites can no longer access connected USB devices via the API (this includes web cameras, headphones, and other USB devices) which could also prevent some two factor authentication (2FA) USB devices from working properly.
Solution
To establish the recommended configuration via Group Policy, set the following UI path to Enabled: Do not allow any site to request access to USB devices via the WebUSB API:
Computer ConfigurationPolicesAdministrative TemplatesGoogleGoogle ChromeContent SettingsControl use of the WebUSB API
Default Value:
Unset (Same as Enabled: Allow sites to ask the user to grant access to a connected USB device, but user can change)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.