Authentication (was RE: CAPTCHA alternatives/pitfalls) from John Foliot on 2010-03-19 (wai-xtech@w3.org from March 2010)

From: John Foliot <jfoliot@stanford.edu>
Date: Thu, 18 Mar 2010 23:40:56 -0700 (PDT)
To: "'Gregory J. Rosmaita'" <oedipus@hicom.net>, "'Leif Halvard Silli'" <xn--mlform-iua@xn--mlform-iua.no>, "'W3C WAI-XTECH'" <wai-xtech@w3.org>
Cc: <public-html-a11y@w3.org>
Message-ID: <01e601cac72f$1fe78f60$5fb6ae20$@edu>

[JF - after this initial response/post to the current CAPTCHA discussion, 
this might stray off in a wholly separate direction - for now. I will ask 
that we remove it from the public-html-a11y/w3c list, should anyone care to 
respond. Moving to wai-xtech/w3c for wider discussion]

Gregory J. Rosmaita wrote:
>
> i think that JohnF hit the nail on the head when he pointed out the
> advantages of universal password solutions such as those that allow
> you to verify yourself by logging into a service such as twitter or
> facebook or by using OpenID type solutions, if not OpenID itself...

I think that there are numerous opportunities for this type of 'human-ness' 
verification which might warrant more investigation.  Currently at Stanford 
I am learning of the Shibboleth System[1], which links a number of 
Universities together, including Stanford. Using their local authentication 
at *their* university, we can grant fellow colleagues access as a favored 
guest at Stanford - and we can control what favored means.

As well, Stanford is moving towards a university account-for-life scheme, 
which will allow alumni to retain their SUNet credentials for life; I will 
presume that this is currently not un-common, or could be further encouraged 
at other universities and similar institutions.

It is a potentially very large data-set of authenticated ID's issued by 
trusted entities such as higher education affiliations - presumably other 
large federated verticals could use this method as well (financial/banking 
sector for sure, likely other blue-chip and middle-level federations as 
well - National Cattlemen’s Beef Association[2] anyone?)

The question becomes, could something like this be used at such a basic but 
huge-scale deployment for the type of 'authentication' that CAPTCHA 
currently provides? What kind of overhead would it entail (for example)? I 
currently have an OpenID (linked directly to john.foliot.ca) and I have a 
twitter handle, MSN Passport, AOL double duty sign-in name, yada yada 
yada... there are already a ton of free services out there (that all 
required CAPTCHA to get started - sigh); however for disabled communities 
other trusted entities could also serve to assure humanness and verify as 
much through such a distributed (but more controlled) system - I am thinking 
for example of medical care-givers, churches, banks/post offices, NGO's 
etc. - entities that the disabled users are already likely affiliated to.

So, thoughts?

JF

[1 http://shibboleth.internet2.edu/about.html]
[2 http://www.beefusa.org/]

Received on Friday, 19 March 2010 06:41:32 UTC