Comments on the Web Authentication specification

I've read the latest draft of the Web Authentication specification at https://www.w3.org/TR/webauthn/

Notes appear below. As it's a complex specification, I may not have identified all of the relevant accessibility issues. Review by a second APA participant would be most welcome. Also, the Research Questions Task Force is currently engaged in related work in regard to authentication, which has a broader scope, and which has led to questions for discussion with the Web Authentication Working Group.

Sections 4.4 and 4.4.1. The PublicKeyCredentialEntity dictionary includes two fields: "name" (required), and "icon", where the latter is a URL that resolves to an image (e.g., identifying the user or the relying party). I think the best practice (which should not be enforced, in my view) for accessibility is to supply both. In particular, I think relying parties who have a logo should supply both a name and the logo as an image.

Section 5. It seems to me that the AAGUID described in this section can be used by relying parties to identify features of the authenticator (e.g., the mechanisms it uses to verify the presence and the identity of the user). I think there's scope for best practice guidance here (probably not in the specification, except perhaps as a brief note, but ultimately through WCAG or other documents - possibly an APA Working Group Note on authentication) about how relying parties should take into account the capabilities of authenticators in making decisions. That is, if the RP looks up the authenticator by its AAGUID in a database and institutes a policy of only accepting, for example, authenticators that depend on fingerprint recognition as their means of verifying the user, then clearly we have an accessibility concern. Of course, security considerations are fundamental, and they need to be combined with accessibility considerations when relying parties make decisions based on authenticator characteristics.

Perhaps the Web Authentication Working Group could make a non-normative reference to European Union standard EN 301 549, section 5.3 (biometrics):
http://mandate376.standards.eu/standard/technical-requirements/biometrics
and also to the U.S. Section 508 standards, paragraphs 1194.25 (d) and 1194.26 (c).
https://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-section-508-standards/section-508-standards
to alert readers of the specification to accessibility issues raised by the use of biometrics in authentication mechanisms.


________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________

Received on Wednesday, 18 October 2017 16:52:25 UTC