Re: WCAG 2.2 public comment - 3.3.7 Accessible Authentication from Yao Ding on 2021-09-23 (public-agwg-comments@w3.org from September 2021)

From: Yao Ding <yaoding@fb.com>
Date: Thu, 23 Sep 2021 18:30:17 +0000
To: Alastair Campbell <acampbell@nomensa.com>, "public-agwg-comments@w3.org" <public-agwg-comments@w3.org>
Message-ID: <SJ0PR15MB4376C46B10D9224D5D305273C2A39@SJ0PR15MB4376.namprd15.prod.outlook.com>

Hi Alastair,

Thank you so much for migrating the questions to Git.  I’ll be following there, and let the FIDO group to follow there too.

Also thank you for your proposed response!  Will we get notice when the response becomes “formal”?  If so, what’s the timeline look like?

Yao

Yao Ding
Accessibility Researcher
[signature_1682896801]


From: Alastair Campbell <acampbell@nomensa.com>
Date: Thursday, September 23, 2021 at 1:28 AM
To: Yao Ding <yaoding@fb.com>, public-agwg-comments@w3.org <public-agwg-comments@w3.org>
Subject: RE: WCAG 2.2 public comment - 3.3.7 Accessible Authentication
Hi Yao,

Thanks for that, I’ve put it into our tracker:
https://github.com/w3c/wcag/issues/2052

If you can follow there, that would be great, otherwise we can respond on email when we consider the issue resolved or responded to.

Kind regards,

-Alastair


From: Yao Ding <yaoding@fb.com>
Sent: 23 September 2021 09:07
To: public-agwg-comments@w3.org
Subject: WCAG 2.2 public comment - 3.3.7 Accessible Authentication

Accessibility Guidelines WG,

I’m Yao Ding, an Accessibility Researcher at Facebook.  I’m representing the Consumer Deployment WG of FIDO Alliance<https://fidoalliance.org/> to provide comments and seek clarification on 3.3.7 Accessible Authentication.

We have two main questions:


  1.  Clarify if providing WebAuthN is a sufficient technique even if in some cases the authenticator only supports PIN.
     *   Understanding 3.3.7<https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication.html> lists “Providing WebAuthN” as a sufficient technique.
     *   “Examples” language   –   “Common methods on laptops and phones are facial-scan, fingerprint, and pin number. The web site is not enforcing any particular use, it is assumed a user will setup a method that suits them.”  --  seems to suggest that PIN is always one in multiple options that the user can choose from.  We don’t think it’s accurate because when we deploy WebAuthN, WebAuthN does not provide any information on what modality an authenticator supports.  In some cases, the authenticator may only support PIN.
     *   As per definition of “cognitive function test”, memorizing a PIN is seemingly a cog test.
     *   Based on the above premise, will providing WebAuthN still pass 3.3.7 even in cases where the authenticator only supports PIN?
  2.  Clarify if passwordless authentication would pass 3.3.7
     *   Passwords are known to be weak for phishing and the industry is moving towards authentication without relying on passwords.
     *   Is it accurate to say that as long as the passwordless auth doesn’t rely on a cognitive function test, it passes 3.3.7?
     *   If yes, may we provide examples of FIDO passwordless authentication to be included as examples or sufficient technques?

Your response would be much appreciated!

Regards,
Yao


Yao Ding
Accessibility Researcher
[signature_1682896801]

Attachments

image/gif attachment: image001.gif
image/gif attachment: image002.gif

Received on Thursday, 23 September 2021 18:30:44 UTC