W3C home > Mailing lists > Public > public-usable-authentication@w3.org > February 2008

Re: WAI help with WSC ISSUE-125

From: Al Gilman <Alfred.S.Gilman@IEEE.org>
Date: Wed, 6 Feb 2008 13:03:16 -0500
Message-Id: <7488AB26-211B-44C8-8B39-25AFC233A262@IEEE.org>
Cc: public-usable-authentication@w3.org, wai-liaison@w3.org
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>


On 25 Jan 2008, at 9:05 AM, Mary Ellen Zurko wrote:

>
> Hi Al,
>
> We've got another issue in wsc-xit that we could use some WAI help  
> with.
> http://www.w3.org/2006/WSC/track/issues/125
>
> We're addressing some issues around "shoulder surfing" in one of  
> our recommendations.
> http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask
>
> Right now, it's totally phrased in terms of visuals. We need to  
> know what the current functionality in screen readers and other  
> assistive technology is when it deals with passwords or other  
> strings that are generally masked on input. Can someone give us a  
> quick tutorial or some pointers? Thanks for your time and help.

Hi, MEZ:

My colleagues have given me a quick refresher.

http://lists.w3.org/Archives/Member/w3c-wai-pf/2008JanMar/ 
thread.html#msg81

A summary of the feedback so far is that:

(a) the behavior recommended by the blind community is that
the characters / keystrokes of password entry are not echoed
in the screen reader audio just as they are not echoed on the screen.

(b) by now, this recommended behavior is by and large
the actual user experience, when dealing with Operating System
widgets or Web forms through a screen reader.  Earlier, the
keystrokes were echoed from the keyboard interface without
regard for the security significance of the field being entered.
But the users complained, because a blind user can even less
tell who is listening than the sighted user will notice who
is watching.

caveat:

This does not address the barriers to use by people with
dyslexia and cognitive disabilities that are raised by
username:password as the authorization dialog.

Working around that barrier may involve substituting authentication
mechanisms at a higher level than just non-echo of the password
field in a username:password pair.

This does not necessarily involve introducing any new
access control techniques into practice, but rather opening
up web applications to higher-security options that are
more forgiving of human conditions where the standard
technique raises barriers.

Examples could be password-generating devices for the dyslexic
and biometric authentication for the severely learning disabled.

Al

>           Mez
>
>
>
Received on Wednesday, 6 February 2008 18:03:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT