Re: Feedback on Success Criterion 2.2.6 Accessible Authentication

Hi Alister. As soon as the password page is in the draw people with short term memory loss will forget where it is.

It is great that what we are asking is inline with  security and usability recommendations. That is good news. 
 
It is however,  also an accessibility requirement because  without it many people with disabilities can not use the site. 


A lot of our recommendation are also good usability and industry practice. That is never a reason to leave it out. 
 
All the best

Lisa Seeman

LinkedIn, Twitter





---- On Fri, 01 Dec 2017 11:19:10 +0200 Alastair Campbell<acampbell@nomensa.com> wrote ---- 

      Hi Lisa,
  
  > Writing down a paper your one password is very risky. People do it, but it means a care giver , plummer , delivery person can access it, 
  
 Risks are relative, if you keep it in a drawer then it is probably less risky than using the same password across different websites. The risks from password re-use are exploitable over the internet.
  
 
   
 > Also things often go wrong at this point such as you upgrade your browser and your password manager doesn't work,  or the site updates it's interface. It is also hard for our usergroups to know which password managers are trustworthy. 
  
 Agreed, it isn’t magic ☺
  
  
 
  > However if we have solutions that solve all these problems, then supporting these user agents  can become techniques, and this SC becomes really easy to conform to.
  
 Well, at that stage it moves from Content to User-Agents.
  
 Each browser has built-in password saving [1], and if you use multiple browsers then 1Password and Lastpass are the most recommended cross-browser password managers. (Keepass is also recommended, but more complex to manage).
  
 The aspects of websites changing interface or blocking password managers is already recommended against by security organisations, this is an entertaining example:
 https://www.troyhunt.com/the-cobra-effect-that-is-disabling/
 Or an official one from the UK Gov department responsible for cyber security:
 https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords 
  
 I think the US changed its guidance this year as well to encourage password paste-ability.
  
 The question is whether we need an accessibility guideline to enforce something that is already a security and usability recommendation?
  
 Cheers,
  
 -Alastair
 
                 
 1] 
 Chrome:  https://support.google.com/chrome/answer/95606?co=GENIE.Platform%3DDesktop&hl=en
 FF:  https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import
 Edge:  https://support.microsoft.com/en-gb/help/4028534/windows-remember-passwords-in-microsoft-edge
 Safari:  https://support.apple.com/kb/PH25230?locale=en_US 
  
 
 

Received on Friday, 1 December 2017 11:49:10 UTC