Thanks a lot for the pointer wih the VM.
There is no easy, generic way to do this.
easy meaning, that it could be implementend in less than a week.
generic meaning, that it would run on “all” browsers.
The challenge is, that due to security reason a website should not access your computers resources. (This was several years ago). So there is no generic USB access or file access.
You may say, “but I can enroll U2F devices, which are actually USB devices”. Yes, but this is a special u2f interface that is implemented into the browser. “But the Alladdin TMS enrolled the etoken already ten years ago in the browser”. Yes, but this only runs in IE, with ActiveX and all the “browser security” switched off. “But I can enroll smartcards in the browser”. Yes, but this is no USB, this is either PKCS11 or MS CAPI with a well defined interface, that is implemented in the browsers.
Well, I would also think, that this would be a very convenient way. If you have any input or thoughts on this, these would be highly welcome. You may also open an issue at github, if you have an idea on that.
The privacyidea admin client simply uses the REST API. The word “admin” can be misleading. The client issues the request
POST /token/init. If this request is issued by an admin, the token is not assigned to any user. If the request is issued by a normal user, it is assigned to the user, since a user may only manage his own tokens. So obviously your “admin” is no admin.