Should we set up a call? from lisa.seeman on 2017-06-19 (public-cognitive-a11y-tf@w3.org from June 2017)

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Mon, 19 Jun 2017 22:26:41 +0300
To: <public-webauthn@w3.org>, <vijay.bharadwaj@microsoft.com>, <hlevangong@paypal.com>, <balfanz@google.com>, <aczeskis@google.com>, <arnarb@google.com>, "Janina Sajka" <janina@rednote.net>, "public-cognitive-a11y-tf" <public-cognitive-a11y-tf@w3.org>
Cc: <Jeff.Hodges@paypal.com>, <mbj@microsoft.com>, <rolf@noknok.com>, <jc@mozilla.com>, "Joshue O Connor" <joshue.oconnor@cfit.ie>, "Andrew Kirkpatrick" <akirkpat@adobe.com>, "Michael Cooper" <cooper@w3.org>, "public-cognitive-a11y-tf" <public-cognitive-a11y-tf@w3.org>
Message-Id: <15cc1d06c79.d8c9b19b28404.3697950663699865707@zoho.com>

Hello again Web Authentication Folks,

Could you let us know when you expect https://www.w3.org/TR/webauthn/ to go to CR?

We believe this could be a very important supporting technique for our WCAG success criteria, as it will enable people with cognitive disabilities, who can not remember passwords, to use web services. If there is a known timeline that would be useful as well.

Also please let us know if there are any security concerns with our current proposal. If there are any concerns then perhaps the best way to move things forward would be to have a call? Good time slots for us are Wednesday 1 pm EST or Thursday 10 am EST. Would either of thoughs be possible?

Thanks for your help and all the best

Lisa Seeman

Facilitator of the task force for accessibility for people with cognitive and learning disabilities (COGA)

LinkedIn, Twitter

---- On Mon, 19 Jun 2017 13:49:48 +0300 &lt;lisa.seeman@zoho.com&gt; wrote ----

Hi Folks

We are trying to create guidance for authentication that works for people with disabilities including cognitive disabilities who can not remember passwords or reliably copy information.

The current proposed wording is :
Essential steps of an authentication process, which rely upon recalling or copying information, have alternative essential steps, or an authentication-credentials reset process, which do not rely upon recalling and copying information.
There is an exception for :

cases where this would go against any legislative requirements
basic identifying information that the user has easy access to, such as: name, address, email address and identification or social security number can be required.

We also allow for alternatives methods if one method can not be used by all.

see: https://github.com/w3c/wcag21/issues/23 . We also have an issue paper that discusses it at https://w3c.github.io/coga/issue-papers/privacy-security.html

Our question is are there any security reasons that would make this unreasonable from a security perspective? If there is could we set up a call (preferably this week) to discuss it?

Josh, Andrew, did I leave anything out?

All the best

Lisa Seeman

LinkedIn, Twitter

also we need to check the survey: https://www.w3.org/2002/09/wbs/35422/COGA_Auth/results (although we can disagree with them and try and convince them)

3. We need an exception for when this is not possible with current legislative requirments

4. Possible exception for coping up to four characters ? DO we see a user problem with this?

All the best

Lisa Seeman

LinkedIn, Twitter

--
Joshue O Connor
Director | InterAccess.ie

Received on Monday, 19 June 2017 19:27:19 UTC