We have an USB related upcoming feature for one of our products. The product is not safety critical. We want the user to be able to log into a computer with their smartcard through a smartcard reader.
As for my current understanding, a Yubikey is a logically equivalent to an inseparable smart card reader and card as seen from the Windows Device Manager. It seems more expensive than smart cards. As I see, both use PCSC protocol. The various smart cards seem to differ most in the file system layout and permission handling.
For this reason, it seems logical to assume that small companies tend to just buy a few Yubikeys or other hardware keys. On the other hand, larger companies with just a few authentication sites and many users are more likely to hire someone with smart card expertise and issue a smart card for everyone, resulting in smaller overall expenses.
We expect both types of users. However, our team lacks smart card expertise.
Option 1. We can invest time in learning to issue smart cards with open-source tools like OpenSC. It will result in more thorough testing at a higher cost, especially in time.
Option 2. We can buy a Yubikey and test with it only. It is much less costly in time, but we cannot know for sure how the system would work with various smart cards.
We do not want to test the process of smart card authentication. But we would like to be confident that the product will not hinder the smart card authentication process in any way.
So the question arises. Is there any significant difference in the way Yubikeys and other smart card authentication systems work as seen in the USB connection that requires us to test with smart cards too? Or are these similar enough so that we can be confident enough even with a single Yubikey?
We have a smart card with an expired certificate. I tried to make a Raspberry Pi OS to require it for login. In the Ubuntu smart card configuration guide I saw that we need a valid smart card certificate so I stopped trying. I did research and got the idea that we could capture USB traffic with Wireshark and USBPCap. But we do not have a Yubikey yet to do any actual measurements.