- From: David Sloan <dsloan@paciellogroup.com>
- Date: Wed, 16 Aug 2017 12:48:08 +0100
- To: RQTF <public-rqtf@w3.org>
Hi all Regrets from me for today’s meeting, as well. I echo Scott’s positive feedback on the questions—good work! Just a couple of minor comments: 1) I prefer “people with disabilities” to “persons with disabilities”, but if it’s a W3C or APA style to use the latter, then that’s fine. 2) Three of the four short form questions are phased as yes or no questions. It might be helpful to rephrase the short form questions to clearly indicate that we’re interested in more than just a yes or no answer (though Q3 probably works as it is, in implying we want to learn about the “it depends” nature of the question). Possible rephrasing of Q1 and Q4 as follows: 1. Which authentication mechanisms are currently attracting the greatest interest from the Web authentication community? Which methods should we prioritize our efforts in understanding? 4. What emerging authentication approaches exist that do not require the user to retype strings of characters? Dave > On 16 Aug 2017, at 06:35, Scott Hollier <scott@hollier.info> wrote: > > To Jason and Janina > > Firstly, great work on the authentication questions – these look great to me, very clear and concise. I’m sure these questions will yield the information we’re seeking. > > Secondly, I’ll be an apology for today’s call, really sorry about that. I’m still on track though for the VR summary though which I’ll circulate before the meeting next week. > > Thank you, > > Scott. > > > <image001.gif>Dr Scott Hollier > Digital Access Specialist > Mobile: +61 (0)430 351 909 > Web: www.hollier.info > > Technology for everyone > > Keep up-to-date with digital access news – follow @scotthollier on Twitter or e-mail newsletter@hollier.info with ‘subscribe’ in the subject line. > > From: White, Jason J [mailto:jjwhite@ets.org] > Sent: Tuesday, 15 August 2017 10:18 PM > To: RQTF <public-rqtf@w3.org> > Subject: Authentication questions > > Thanks to Janina for revising the draft Authentication Questions in view of Task Force discussions. Please review the following prior to the meeting tomorrow. The agenda will be circulated shortly. > > <begin draft> > Dear Colleagues: > > We are researching accessibility impact of various authentication approaches on the web for the W3C/WAI Accessible Platform Architectures > (APA) Working Group. We would appreciate your assistance in our effort specifically around the following questions: > > We've attempted to pose our questions succinctly first, then to follow up with greater detail below. > > Short Form Questions > > 1. Can you please help us identify and prioritize the authentication mechanisms which are currently attracting the greatest interest from the Web authentication community? This will help us prioritize our efforts. > > 2. Persons with disabilities are likely to behave differently while interfacing with an authentication environment. We'd like to understand whether this might adversely impact their ability to authenticate vis a vis users without disabilities. > > 3. Are captchas still considered useful? Or, is their use likely to fade? > > 4.) Are there promising authentication approaches that do not require the user to retype strings of chars? > > Explanatory Details > > 1. Question 1--requires no explanation. > > 2.) For question 2, regarding behavioral analysis ... > > Discussion of accessibility and authentication at the TPAC meeting last year focused on the notion of a risk analysis which a Web application can undertake to determine whether to accept or decline a user's authentication attempt. The risk analysis can take into account a variety of factors in arriving at a decision to grand or deny access to a resource. We are concerned, however, that there are factors, such as the timing of a user's keystrokes, that are likely to present differently by virtue of a person's having a disability or using an assistive technology (e.g., speech > recognition) that synthesizes keyboard input. Which of the possible factors, if any, should we consider in determining the potential adverse consequences of a user's having a disability (including their need for assistive > technology) on the accuracy of risk analyses? > > 3. Captcha > > The APA Working Group is presently revising the W3C Working Group Note, first published in 2005, regarding accessibility issues raised by the use of CAPTCHA: > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fturingtest%2F&data=02%7C01%7Cjjwhite%40ets.org%7C7fd73fd8d0eb4835482208d4e39dd736%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636383714506961393&sdata=CR4sQa25VS2rdO%2F%2BzEP49bG5hZjYmRcJ9wWZDAcSqIk%3D&reserved=0 > > Given the ongoing evolution of authentication technologies on the Web today, is CAPTCHA in its various forms likely to continue to be widely deployed, or should we expect it will be supplanted by the use of secure authentication mechanisms and risk analysis algorithms? If so, on what likely timeline? > > Furthermore, many of the cases in which CAPTCHA is used require the identity of the user to be disclosed (e.g., to create an account in a Web application). > This being so, do there remain significant scenarios on the Web today in which there is a need for a genuine human interaction proof that does not also reveal the user's identity? This is a common privacy concern for many persons with disabilities who would prefer not to reveal that they are persons with disabilities. > > 4. Question 4--Removing the need to enter arcane text strings > > The Accessibility Guidelines Working Group is considering a proposal for its formal Success Criteria related to the next revision of W3C/WAI's Web Content Accessibility Guidelines (WCAG) that would favor the use of authentication mehcanisms which do not require the user to memorize or transcribe information. > > The objective of the proposal is to overcome accessibility barriers encountered most particularly by users with learning or cognitive disabilities in completing authentication tasks. If widely implemented on the Web, this proposal would remove a frequently relied upon authentication factor - what the user knows - from the repertoire of factors that accessibility-supportive Web site and Web application authors can depend on in the authentication process. It would also likely complicate some multi-factor authentication schemes. > > What are the security implications of this kind of proposal? When might we expect authentication mechanisms that satisfy this requirement (i.e., which do not rely on the user's ability to accurately memorize or transcribe information) to be available and supported by Web standards? > > <end draft> > > > This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited. > > > Thank you for your compliance. > -- David Sloan -- UX Research Lead The Paciello Group https://www.paciellogroup.com A VFO™ Company http://www.vfo-group.com/ -- This message is intended to be confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, please delete this message from your system and notify us immediately. Any disclosure, copying, distribution or action taken or omitted to be taken by an unintended recipient in reliance on this message is prohibited and may be unlawful.
Received on Wednesday, 16 August 2017 11:48:33 UTC