Fwd: Focused questions regarding CAPTCHA and authentication from Judy Brewer on 2017-06-07 (public-rqtf@w3.org from June 2017)

From: Judy Brewer <jbrewer@w3.org>
Date: Wed, 7 Jun 2017 09:27:24 -0400
To: RQTF <public-rqtf@w3.org>
Message-ID: <da5ab420-dacf-adbf-2409-06c2f94e410e@w3.org>

Forwarding to the list this set of questions from Jason.

- Judy

-------- Forwarded Message --------
Subject: 	Focused questions regarding CAPTCHA and authentication
Date: 	Mon, 15 May 2017 14:34:17 +0000
From: 	White, Jason J <jjwhite@ets.org>
To: 	Janina Sajka <janina@rednote.net>
CC: 	Judy Brewer <jbrewer@w3.org>, Shadi Abou-Zahra <shadi@w3.org>, 
Michael Cooper <cooper@w3.org>

Judy and I met briefly for a very effective planning discussion, in which I took an action to write focused questions on CAPTCHA and authentication as background to inviting Wendy Seltzer to an RQTF meeting.

Here are several questions with which to start the discussion. Judy, you're welcome to omit some of them (especially the last one) if you think they're insufficiently precise, and I trust you to make any changes you think appropriate.

* What are the most effective alternatives to CAPTCHA, their advantages and drawbacks?

* How important are CAPTCHA use cases in which what is needed is a genuine Turing test that establishes the humanity of the user without revealing the user's identity? Which, if any, of the alternatives to CAPTCHA can satisfy these use cases?

* Which means of authentication are currently attracting the greatest interest from the Web authentication community? Which authentication mechanisms should we therefore review in regard to their implications for accessibility, including the sensory, cognitive and other demands that they place on the user?

* Discussion of accessibility and authentication at the TPAC meeting last year focused on the notion of a risk analysis which a Web application can undertake to determine whether to accept or decline a user's authentication attempt. The risk analysis can take into account a variety of factors in arriving at a decision. Which of the possible factors should we focus on in determining the likely effects of a user's having a disability (including their need for assistive technology) on the accuracy of risk analyses?

* There is often a balance to be reached between the usability of an authentication mechanism and the security it offers. Usability and accessibility issues become more complex when the needs of people with a variety of sensory, cognitive and physical abilities are considered. How can we devise authentication techniques that are both highly secure and highly accessible to people with disabilities, and which therefore achieve an appropriate balance? Which of the authentication mechanisms currently in use or under development (singly or in combination) hold the most promise in this regard?

Regards,

Jason.

Received on Wednesday, 7 June 2017 13:27:35 UTC