Draft questions for Web Authentication Working Group from White, Jason J on 2017-07-25 (public-rqtf@w3.org from July 2017)

From: White, Jason J <jjwhite@ets.org>
Date: Tue, 25 Jul 2017 23:23:48 +0000
To: RQTF <public-rqtf@w3.org>
Message-ID: <BN6PR07MB34574B153DE16AD6F1A9C2CAABB80@BN6PR07MB3457.namprd07.prod.outlook.com>

Dear colleagues,

Pursuant to the action that Janina and I took at a recent meeting, here are draft questions that may be posed to the Web authentication Working Group. Comments are welcome at the meeting tomorrow.

------------

The Research Questions Task force of the Accessible Platform Architectures

(APA) Working Group has been asked by APA to review available research and advise on possible approaches for accessible authentication on the web. We would appreciate your assistance in our effort specifically around the following questions:

1. We plan to examine the physical, sensory and cognitive demands created by different authentication schemes to inform the ongoing development of accessibility-related planning and specifications within the W3C. For this purpose, it is desirable to prioritize our review of authentication technologies which are currently significant or expected to become significant in the near future.

Can you please help us identify and prioritize the authentication mechanisms which are currently attracting the greatest interest from the Web authentication community? Which approaches should we therefore prioritize in conducting our review of the accessibility implications of authentication technologies?

2. Discussion of accessibility and authentication at the TPAC meeting last year focused on the notion of a risk analysis which a Web application can undertake to determine whether to accept or decline a user's authentication attempt. The risk analysis can take into account a variety of factors in arriving at a decision to grand or deny access to a resource. We are concerned, however, that there are factors, such as the timing of a user's keystrokes, that are likely to present differently by virtue of a person's having a disability or using an assistive technology (e.g., speech recognition) that synthesizes keyboard input. Which of the possible factors, if any, should we consider in determining the potential adverse consequences of a user's having a disability (including their need for assistive technology) on the accuracy of risk analyses?

3. The APA Working Group is presently revising the W3C Working Group Note, first published in 2005, regarding accessibility issues raised by the use of CAPTCHA. https://www.w3.org/TR/turingtest/

Given the ongoing evolution of authentication technologies on the Web today, is CAPTCHA in its various forms likely to continue to be widely deployed, or will it be supplanted by the use of secure authentication mechanisms and risk analysis algorithms?

Furthermore, many of the cases in which CAPTCHA is used require the identity of the user to be disclosed (e.g., to create an account in a Web application).

This being so, do there remain significant scenarios on the Web today in which there is a need for a genuine human interaction proof that does not also reveal the user's identity?

4. The Accessibility Guidelines Working Group is considering a proposal for its formal Success Criteria related to the next revision of W3C/WAI's Web Content Accessibility Guidelines that would favor the use of authentication mehcanisms which do not require the user to memorize or transcribe information. The objective of the proposal is to overcome accessibility barriers encountered by users with learning or cognitive disabilities in completing authentication tasks. If widely implemented on the Web, this proposal would remove a frequently relied upon authentication factor - what the user knows - from the repertoire of factors that accessibility-supportive Web site and Web application authors can depend on in the authentication process. It would also complicate some multi-factor authentication schemes.

What are the security implications of this proposal? When can we expect authentication mechanisms that satisfy this requirement (i.e., which do not rely on the user's ability to accurately memorize or transcribe information) to be available and supported by Web standards?

________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

Thank you for your compliance.

________________________________

Received on Tuesday, 25 July 2017 23:24:13 UTC