RE: Feedback on Success Criterion 2.2.6 Accessible Authentication from lisa.seeman on 2017-11-29 (w3c-wai-gl@w3.org from October to December 2017)

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Wed, 29 Nov 2017 17:06:46 +0200
To: Alastair Campbell <acampbell@nomensa.com>
Cc: "Rochford, John" <john.rochford@umassmed.edu>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>, "Thaddeus Cambron" <inclusivethinking@gmail.com>
Message-Id: <160084f0d5c.1160acfce174279.6193154056803487829@zoho.com>

Hi Alistair

I like the limitation to re-authentication. That makes sense to me
Limiting it to single step may be a compromise we have to make but it is a problem.

All the best

Lisa Seeman

LinkedIn, Twitter

---- On Wed, 29 Nov 2017 15:26:54 +0200 Alastair Campbell&lt;acampbell@nomensa.com&gt; wrote ----

Hi Lisa,

Sorry for the long email, skip to the end to see the resulting language. Details between here and there…

&gt; An email reset loop is ok.

I’m not sure how a typical email reset-loop would be ok, the steps are usually:
Click on ‘forgotten password’
Put in your email address.
Receive a link through email, select it
Put in a new password, twice. Next.
On the login page, enter your username/email, and password to login.

That means you have to remember/copy/transcribe the password from one page to the next.

However, I’ll drop this one as there do appear to be common libraries/methods for doing direct-login from an email link.
E.g. https://www.drupal.org/project/email_auto_login
https://wordpress.org/plugins/wp-email-login/
https://stackoverflow.com/questions/37332190/django-login-with-email

That helps in the single-factor case.

&gt; Other example of cheap methods is "login in via Facebook".

As you say, some won’t like (or cannot use) a 3rd party login, but it’s a useful extra.

&gt; Facebook itself is conformant as it allows you to login via your profile picture (you click on your picture instead of typing in a password.)

That’s true once you’ve logged in with a username/password, but not if you have a fresh browser / different computer.

Again: Does the site have to comply all the time? They do not now, and possibly cannot.

&gt; A site can have two step authentication with coping a number from an SMS so long as they allow a reset or other conformant mechanism as well.

How does a reset help? If you reset a password, you still have to put in the number from the 2FA whether it is SMS or app based.
Do you mean turning off 2FA?

&gt; Note as the National Institute for Standards and Technology (NIST) in July 2016 warned against using the plane text-message-based two-factor

Yep, I noted that before as well, we shouldn’t use SMS as a technique, not that it would be conformant anyway.

&gt; Some sites use an RC code generator.

Random code? Do you mean a QR code generator?

&gt; That seems more secure then two step authentication, is completely compliant and can be done for free.

I think you are confusing authentication with re-authentication. I.e. if you have already logged in (probably with a password), then you can re-authenticate with an easier / less secure method.

Also, can you point to a service that provides this? (I’ve googled for RC and QR codes for login but can’t find anything useful.)

&gt; RC scans are used by plannerinclusion

Great, but I can’t find plannerinclusion to see what you mean, is that the right spelling?

What I’m trying to work out is if it is something available for free, or as a service, or you have to implement it yourself.

&gt; Also the FIDO key can be at the users expense.

Yep, I’ve read up on how it works. When it is better supported it would be a good mechanism for single-factor auth.

However, it will only help in the single factor case, as from (the link you provided to) MS’s FIDO implementation says:

“The Web Authentication specification defines two authentication scenarios: passwordless and two factor. In the passwordless case, the user does not need to log into the web page using a user name or password – they can login solely using Windows Hello. In the two factor case, the user logs in normally using a username and password, but Windows Hello is used as a second factor check to make the overall authentication stronger.”

I.e. when you have 2-factor on, there is not a password-less mechanism because FIDO/WebAuth is the second factor.

&gt; Also firefox seem to be quite advanced in their webauth implementation… Do you know the source is for saying it only works in chrome?

Yep, the usual source of browser support facts: https://caniuse.com/#search=fido

I’m sure Firefox and Edge will, as Mozilla and Microsoft have editors on the spec. But then the question is when, it is not planned before version 60 of Firefox, eta after WCAG 2.1.

&gt; If not can you think of an exception that would help?

Yes, but not sure how much it helps overall, bolding additions/changes:

--------------
Essential steps of a single-factor re-authentication process which relies on recalling or transcribing information has one of the following:

alternative essential steps, which do not rely upon recalling or transcribing information.
an authentication-credentials reset process, which does not rely upon recalling or transcribing information

Except that the authentication process can rely on the user inputting basic personal information such as name, address, email address or national identification number.

Unless there are legal requirements for a recall or transcribe method of authentication.

--------------

Not perfect, but do you see where I’m going with it?

I was also trying to remove the hole where anything involving a name / email address was totally exempt.

-Alastair

Received on Wednesday, 29 November 2017 15:07:19 UTC