W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > April to June 2017

RE: Next steps for accessible authentication

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Mon, 19 Jun 2017 20:59:03 +0300
To: White <jjwhite@ets.org>
Cc: "Alastair Campbell" <acampbell@nomensa.com>, "public-cognitive-a11y-tf@w3.org" <public-cognitive-a11y-tf@w3.org>, "WCAG" <w3c-wai-gl@w3.org>
Message-Id: <15cc1802d64.e3bccf5e25252.7308530601697120233@zoho.com>
Hi Jason

People will need to take the security alternative that give the right balance between security and easy of implementation for their senario.


Some of the alternatives are easy but less secure (such as logging in via facebook) some are more complex but more secure. Fortunately there  is there is a large range of alternatives. that go from weekly secure to the type used by people working in encryption and security such as smart cards.

All the best

Lisa Seeman

LinkedIn, Twitter





---- On Mon, 19 Jun 2017 20:48:27 +0300  White&lt;jjwhite@ets.org&gt; wrote ---- 

     
  
     From: lisa.seeman [mailto:lisa.seeman@zoho.com] 
 Sent: Monday, June 19, 2017 1:30 PM
 
 
 
 
   We are allowing multiple alternatives, such as:
 
     two step authentication that has a link to press as an alternative to entering a code
 [Jason] What are the security implications, if any? The server comprising the destination of the link could be attacked (e.g., by trying different values for the data carried in the link in succession).
    two step authentication using devices that sends a tokens via Bluetooth
 [Jason] These are promising as an idea, but without standardization, the user may end up having to use several different devices with different Web sites – not a desirable outcome. I think these could only be required in WCAG when the standards are in place.
    Email resetting is an option for most places,  including google if people have an alternative address
 [Jason] This isn’t suitable for high security applications, since anyone who gains access to the e-mail account can compromise the security of the system.
   login in via something like facbook
 [Jason] This involves trusting/relying on a third party to perform the authentication. If I remember correctly, this is known to have serious security shortcomings.
   conformance to the web authentification specification at https://www.w3.org/TR/webauthn/
 
  [Jason] This is the most promising of your alternatives. Will it be practically available by the time WCAG 2.1 enters Candidate Recommendation?
  
 In short, I think most of the options are at least suspect from a security point of view.
  
 
 
 
 
 
  This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.
 
 Thank you for your compliance.
  
Received on Monday, 19 June 2017 17:59:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 19 June 2017 17:59:38 UTC