Some of the security people consulted - was RE: Next steps for accessible authentication from lisa.seeman on 2017-06-20 (public-cognitive-a11y-tf@w3.org from June 2017)

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Tue, 20 Jun 2017 18:31:13 +0300
To: "White" <jjwhite@ets.org>
Cc: "Michael Pluke" <Mike.Pluke@castle-consult.com>, "Alastair Campbell" <acampbell@nomensa.com>, "public-cognitive-a11y-tf@w3.org" <public-cognitive-a11y-tf@w3.org>, "WCAG" <w3c-wai-gl@w3.org>
Message-Id: <15cc61f31e7.d739060261130.2437250212583210944@zoho.com>

Just to clarify some of the security expertise people who have been involved in this process: We had a join meeting with the web authentication group in a joint meeting in Lisborn. Also Thaddeus (who works in web security) was consulted and consulted with his colleges, also I consulted with the cyber crimes unit of the Israeli police who specializes in vulnerable people. As requested , I posted to the web authentication group a few times to ask them if they have any problem with the current wording. So far we have had no feedback. Josh and Andrew were cc'ed maybe they want to clarify the urgency to see if anyone has an issue with it. (Note the SC wording was posted in the email so it was clear what we were asking. )

All the best

Lisa Seeman

LinkedIn, Twitter

---- On Tue, 20 Jun 2017 18:01:24 +0300 &lt;lisa.seeman@zoho.com&gt; wrote ----

Yes jason, we had people involved insecurity working on this which is why password managers were not included as a proposed solution

All the best

Lisa Seeman

LinkedIn, Twitter

---- On Tue, 20 Jun 2017 17:57:32 +0300 White&lt;jjwhite@ets.org&gt; wrote ----

From: Michael Pluke [mailto:Mike.Pluke@castle-consult.com]
Sent: Tuesday, June 20, 2017 10:29 AM

As a password manager user I agree that they have the potential to solve password memorization/recall for all users (not just those with disabilities that affect long-term memory). In practice they can make things worse when sites do not allow the strong un-memorable passwords to be automatically copied into the entry fields! An SC that disallowed such blocking could be very valuable.
[Jason] Some organizations (such as financial institutions) may have good security reasons to disallow password managers. This observation reinforces my view that we need a strong security review of this proposal.

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

Thank you for your compliance.

Received on Tuesday, 20 June 2017 15:31:48 UTC