RE: wording for a success criteria to include security concerns and voice systems and others.

I think that Jamie has a valid concern – highlighting solutions rather than elaborating problems is always helpful.

What I think that Lisa’s global requirement and my examples illustrate is that many authentication technologies entirely rely on the false assumption that humans have certain cognitive capabilities that an automated brute-force security attack cannot emulate. This is a dangerous assumption when, in reality, many of the supposed human abilities are weak ones in the general population and so weak as to cause complete failures for those with various cognitive disabilities.

Tools like keychain and 1 password are fine for sites that use single simple passwords, but typically fail to be of much help on sites that request a subset of security tokens (e.g. a password, last school, first pet) from a larger set of security tokens that the user has specified. They are generally of even less use for the “enter the 3rd, 5th and 8th characters” type of security challenge. This latter type of challenge is even more messed up in environments that don’t support the simultaneous display of the security challenge from the website/app and the password (say from 1 password). I’ve never got this to work on iOS using LatPass. The user is then forced to do the almost impossible task of remembering the password (either retrieving it from long-term memory or flipping to LastPass and memorising it in short-term memory) and then performing the task of identifying the 3rd, 5th and 8th character from the password visualised from their short-term memory!!

To alleviate the above mess, an awful lot of things have to be corrected in websites/apps, operating systems, and password managers before the task begins to be downgraded from virtually impossible to merely extremely hard!

Best regards

Mike

From: lisa.seeman [mailto:lisa.seeman@zoho.com]
Sent: 25 August 2015 13:59
To: Jamie Knight <Jamie.Knight@bbc.co.uk>
Cc: EA Draffan <ead@ecs.soton.ac.uk>; Michael Pluke <Mike.Pluke@castle-consult.com>; public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Subject: Re: wording for a success criteria to include security concerns and voice systems and others.

Hi Jamie
There is a full issue paper on the issue and on alternatives
See https://rawgit.com/w3c/coga/master/issue-papers/privacy-security.html


All the best

Lisa Seeman

Athena ICT Accessibility Projects <http://accessibility.athena-ict.com>
LinkedIn<http://il.linkedin.com/in/lisaseeman/>, Twitter<https://twitter.com/SeemanLisa>



---- On Tue, 25 Aug 2015 15:30:32 +0300 Jamie Knight<Jamie.Knight@bbc.co.uk<mailto:Jamie.Knight@bbc.co.uk>> wrote ----
Hello,

I think I missed something. What do we suggest authors do instead of CAPTCHAS, strong passwords etc?

For example:

- use a strong password. Use AT to remember i (eg safari keychain, tools like 1password) and then we talk to those orgs to make setup cog friendly.

- CAPTCHAS - what would we suggest instead?

The phrase works well to describe the problems and what is wrong.

Nothing to describe strengths.

For example, a maths puzzle may suit autistic users. A visual reasoning puzzle may suit dyslexic users.

How can we use our understanding of Ability to improve things.

Rather than use examples of being disabled by the environment as a way to tell people they are doing it wrong.

Lets suggest ideas for making it better.

Hope that's okay, I may be missing the point entirely.

Jamie + Lion

Sent from my iPhone

On 25 Aug 2015, at 13:15, lisa.seeman <lisa.seeman@zoho.com<mailto:lisa.seeman@zoho.com>> wrote:
Thanks EA
All the best

Lisa Seeman

Athena ICT Accessibility Projects<http://accessibility.athena-ict.com>
LinkedIn<http://il.linkedin.com/in/lisaseeman/>, Twitter<https://twitter.com/SeemanLisa>



---- On Tue, 25 Aug 2015 15:05:52 +0300 EA Draffan<ead@ecs.soton.ac.uk<mailto:ead@ecs.soton.ac.uk>> wrote ----

Really has a good ring about it!  I agree with Mike and would just deal with the typo…



"Minimize the cognitive skills required to use the content when there is a known alternative."







3)      Requiring the user to decipher indistinct letters or numbers against a complex background as seen in CAPTCHAs relies on good visual perceptual skills, visual acuity as well as decoding skills.  These abilities are often affected by cognitive impairments.





Best wishes

E.A.



Mrs E.A. Draffan

WAIS, ECS , University of Southampton

Mobile +44 (0)7976 289103

http://access.ecs.soton.ac.uk


UK AAATE rep http://www.aaate.net/


http://www.emptech.info




From: Michael Pluke [mailto:Mike.Pluke@castle-consult.com]
Sent: 25 August 2015 12:01
To: lisa.seeman <lisa.seeman@zoho.com<mailto:lisa.seeman@zoho.com>>; public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org<mailto:public-cognitive-a11y-tf@w3.org>>
Subject: RE: wording for a success criteria to include security concerns and voice systems and others.



Hi



I think that this is a very good attempt. I think a few good examples would help people understand that this rule is regularly broken in the field of security e.g.



1)      Requiring the user to enter a password relies on the user’s long-term memory and recall. In conditions such as Alzheimer’s, long-term memory and recall abilities will decrease which will force the user to write down the password and hence compromise their security.

2)      Requiring the user to enter, say, the 3rd, 5th and 8th characters of a password or special word relies on counting, string processing and recognition abilities that are often severely impacted in conditions such as dyslexia and dyscalculia.



Best regards



Mike



From: lisa.seeman [mailto:lisa.seeman@zoho.com]
Sent: 25 August 2015 11:33
To: public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org<mailto:public-cognitive-a11y-tf@w3.org>>
Subject: wording for a success criteria to include security concerns and voice systems and others.



Hi

Following the call last night Ayelet and myself came out with the following wording for a technique or success criteria to include security concerns and voice systems and others.


"Minimize the cognitive skills required to use the content when there is a know alternative."



We can follow it with text and examples about alternatives in each topic and a link to the relevant issue paper. The advantage in citing examples is that the technique will endure even as technology and specifics change



All the best

Lisa Seeman

Athena ICT Accessibility Projects<http://accessibility.athena-ict.com>
LinkedIn<http://il.linkedin.com/in/lisaseeman/>, Twitter<https://twitter.com/SeemanLisa>