RE: Do we want a Biometric Alternative SC in WCAG 2.1? from lisa.seeman on 2016-07-24 (w3c-wai-gl@w3.org from July to September 2016)

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Sun, 24 Jul 2016 12:01:58 +0300
To: Katie Haritos-Shea GMAIL <ryladog@gmail.com>
Cc: "'John Foliot'" <john.foliot@deque.com>, "'White, Jason J'" <jjwhite@ets.org>, <tink@tink.uk>, "'David MacDonald'" <david100@sympatico.ca>, "'Patrick Lauke'" <redux@splintered.co.uk>, "'WCAG'" <w3c-wai-gl@w3.org>
Message-Id: <1561c21dee2.11675844a60179.522899913440855138@zoho.com>
Folks

Take a look at the coga proposed success criteria  on adding barriers






When there is a barrier between the content and the user that requires additional abilities an alternative is provided that does not require additional abilities.§
 Additional abilities include cognitive functions that are required, but are not necessary to achieve the main task for which the content was designed. Such as: 
   Capture or security mechanisms that require copying, spelling or memory skills, 
  Interactive communication systems, voice menu systems such as Voice XML automated customer service portals, which require the user to have a good working (transitory) memory. The user needs hold pieces of transitory information in the mind such as the number that is being presented as an option, whilst processing the terms that follow. 
  Hiding of critical features under categories that are hard to understand. Such as a Web Of Things interfaces, that requires the user to understand the word "mode" to get to easy to understand options. 
  Exception: There is an exception when there is a not a known alternative that provides the same main function and does not rely on additional abilities. A known alternative can be a WCAG technique, W3C note, or in the documentation of the platform. 
 Technique examples  
 Examples in security: Web security and privacy technologies, for example, intentionally require users to perceive more and to do more to complete tasks. Three examples of these technologies are passwords, CAPTCHA, and 2-Factor Authentication. Such techniques require that the user has a good working memory or short term memory required to copy a code or remember complex passwords. 
 Alternatives exists that can allow more people to use content securely. These alternatives include using Web tokens, signing in via email account or other account, or biometrics are all alternatives to the above. For more details on this issue and on alternatives are available https://rawgit.com/w3c/coga/master/issue-papers/privacy-security.html



     

All the best

Lisa Seeman

LinkedIn, Twitter





---- On Fri, 22 Jul 2016 19:10:43 +0300 Katie Haritos-Shea GMAIL&lt;ryladog@gmail.com&gt; wrote ---- 

Thanks John,
 
I am still thinking there may be something broad we could add at this point for 2.1, and perhaps via the proposed SC that Patrick is working on, related to sensors, may be it.
 
Web Payments is leaving the authentication APIs up to the WG that are dealing specifically with security I am pretty sure.
 
Weak stab at a Biometrics Alternative SC: “When it is in control of the author to offer forms of biometric authentication, at least two forms must be made available.”
 
 
 
* katie *
 
Katie Haritos-Shea 
Principal ICT Accessibility Architect (WCAG/Section 508/ADA/AODA)
 
Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA | LinkedIn Profile | Office: 703-371-5545 | @ryladog
 
From: John Foliot [mailto:john.foliot@deque.com] 
Sent: Friday, July 22, 2016 11:56 AM
To: White, Jason J &lt;jjwhite@ets.org&gt;
Cc: tink@tink.uk; David MacDonald &lt;david100@sympatico.ca&gt;; Katie Haritos-Shea GMAIL &lt;ryladog@gmail.com&gt;; Patrick Lauke &lt;redux@splintered.co.uk&gt;; WCAG &lt;w3c-wai-gl@w3.org&gt;
Subject: Re: Do we want a Biometric Alternative SC in WCAG 2.1?
 
I think (as others have suggested) that this is likely a WCAG 3.0/Silver discussion, as it also seems to involve hardware and platform specific variables likely outside of the "content" authors control.

 

About 2 or 3 years ago, I recall having an exploratory discussion around the use of biometrics and authentication (while I was at JPMC), and during those chats we absolutely understood that biometrics could augment (but not replace) other forms of input/authentication, and I actually saw a proof of concept authentication platform that allowed for multiple forms of biometrics to authenticate: eye-scan/gaze, fingerprints, voice recognition, etc. Thoughtfully applied, this could actually benefit some users (I'm thinking mobility impaired as an easy example). The PoC platform I saw could also leveraged other variables, such as GPS-aware sensors (i.e. you could set a profile that your cell phone or other type of dongle (https://shop.smartthings.com/#!/products/samsung-smartthings-arrival-sensor) had to be in physical proximity to an ATM that was attempting to withdraw money from your account) and/or you could require any 2 of 5 or 6 different authentication "triggers" (e.g. voice and eye-scan).

 

It strikes me that this may be fertile ground for the newly formed Research Questions TF that Jason is heading up to further explore (with a plug for that TF: https://www.w3.org/WAI/APA/task-forces/research-questions/). We may also want to monitor the Web Payments Working Group as they work on authentication APIs (etc.), as I suspect there will be some valuable cross-over between those efforts and personalization of web content and secure, personalized "user profiles". 

 

JF


 
On Fri, Jul 22, 2016 at 9:14 AM, White, Jason J &lt;jjwhite@ets.org&gt; wrote:


&gt; -----Original Message-----
&gt; From: Léonie Watson [mailto:tink@tink.uk]
&gt; On 22/07/2016 00:21, David MacDonald wrote:
&gt; &gt; yup... we currently require any input including Bio-metric,to be
&gt; &gt; keyboard accessible, but perhaps there is room for more.
&gt;
&gt; Requiring a non-keyboard input device to be keyboard accessible seems
&gt; counter-intuitive.

[Jason] Yes, and this isn't what WCAG 2.0 requires. All functionality of the Web content (be it a document or application) must be keyboard operable. This doesn't exclude biometrics, audio or video input, for example, as long as the application is keyboard-accessible as specified in 2.1.1.
However, suppose we set up an authentication scheme whereby the user has to supply a finger print. If this is part of the Web content rather than of the user agent, then I suspect it's inconsistent with 2.1.1; it's certainly an insurmountable accessibility barrier to anyone who can't make use of a fingerprint scanner (for any number of disability-related reasons), thus it arguably shouldn't conform to WCAG.
If we had an API that allowed the user agent to choose a means of biometric authentication appropriate to the user's needs and abilities, then I would maintain that the content should then conform to WCAG.
&gt;
&gt; Agree this is an important conversation. It's a broad ranging discussion though,
&gt; and one I think might be better suited to whatever comes after 2.1.
&gt;
[Jason] I also look forward to contributing to that discussion, which is undoubtedly necessary.


________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________




 

-- 
John Foliot


Principal Accessibility Strategist

Deque Systems Inc.

john.foliot@deque.com


 

Advancing the mission of digital accessibility and inclusion
Received on Sunday, 24 July 2016 09:02:33 UTC