Accessibility Questions from APA from Janina Sajka on 2017-09-06 (public-apa@w3.org from September 2017)

From: Janina Sajka <janina@rednote.net>
Date: Wed, 6 Sep 2017 08:35:26 -0400
To: public-webauthn@w3.org, public-rqtf@w3.org, W3C WAI Accessible Platform Architectures <public-apa@w3.org>
Cc: jfontana@yubico.com, tonynad@microsoft.com, weiler@w3.org, Michael Cooper <cooper@w3.org>, "White, Jason J" <jjwhite@ets.org>, Judy Brewer <jbrewer@w3.org>
Message-ID: <20170906123526.GD9182@rednote.net>

Dear Colleagues:

We are researching the accessibility impact of various authentication
approaches on the web for the W3C/WAI Accessible Platform Architectures
(APA) Working Group.  We would appreciate your assistance in our effort
specifically around the following 4 questions:

1. Which authentication mechanisms are currently attracting the greatest
interest from the Web authentication community? Which methods should we
prioritize our efforts in +understanding?

2. Persons with disabilities are likely to behave differently while
interfacing with an authentication environment. We'd like to understand
whether this might adversely impact their ability to authenticate vis a
vis users without disabilities.

3. Are captchas still considered useful? Or, is their use likely to
fade?

4. What emerging authentication approaches exist that do not require
the user to retype strings of characters?

Explanatory Details

1. Question 1--requires no explanation.

2.)	For question 2, regarding behavioral analysis ...

   Discussion of accessibility and authentication at the TPAC meeting
   last year focused on the notion of a risk analysis which a Web
   application can undertake to determine whether to accept or decline a
   user's authentication attempt. The risk analysis can take into
   account a variety of factors in arriving at a decision to grand or
   deny access to a resource.

   We are concerned, however, that there are factors, such as the timing
   of a user's keystrokes, that are likely to present differently by
   virtue of a person's having a disability or using an assistive
   technology (e.g., speech recognition) that synthesizes keyboard
   input.

   Which of the possible factors, if any, should we consider in
   determining the potential adverse consequences of a user's having a
   disability (including their need for assistive technology) on the
   accuracy of risk analyses?

3. Captcha

   The APA Working Group is presently revising the W3C Working Group
   Note, first published in 2005, regarding accessibility issues raised
   by the use of CAPTCHA:
https://www.w3.org/TR/turingtest/

   Given the ongoing evolution of authentication technologies on the Web
   today, is CAPTCHA in its various forms likely to continue to be
   widely deployed, or should we expect it will be supplanted by the use
   of secure authentication mechanisms and risk analysis algorithms? If
   so, on what likely timeline?

   Furthermore, many of the cases in which CAPTCHA is used require the
   identity of the user to be disclosed (e.g., to create an account in a
   Web application).  This being so, do there remain significant
   scenarios on the Web today in which there is a need for a genuine
   human interaction proof that does not also reveal the user's
   identity? This is a common privacy concern for many persons with
   disabilities who would prefer not to reveal that they are persons
   with disabilities.

4. Question 4--Removing the need to enter arcane text strings

   The Accessibility Guidelines Working Group is considering a proposal
   for its formal Success Criteria related to the next revision of
   W3C/WAI's Web Content Accessibility Guidelines (WCAG) that would
   favor the use of authentication mehcanisms which do not require the
   user to memorize or transcribe information.

   The objective of the proposal is to overcome accessibility barriers
   encountered most particularly by users with learning or cognitive
   disabilities in completing authentication tasks. If widely
   implemented on the Web, this proposal would remove a frequently
   relied upon authentication factor - what the user knows - from the
   repertoire of factors that accessibility-supportive Web site and Web
   application authors can depend on in the authentication process. It
   would also likely complicate some multi-factor authentication
   schemes.

What are the security implications of this kind of proposal?  When might
we expect authentication mechanisms that satisfy this requirement (i.e.,
which do not rely on the user's ability to accurately memorize or
transcribe information) to be available and supported by Web standards?

Janina Sajka, APA Chair
Dr. Jason White, APA Research Questions Task Force (RQTF) Facilitator


-- 

Janina Sajka,	Phone:	+1.443.300.2200
			sip:janina@asterisk.rednote.net
		Email:	janina@rednote.net

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup:	http://a11y.org

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Chair, Accessible Platform Architectures	http://www.w3.org/wai/apa

Received on Wednesday, 6 September 2017 12:36:16 UTC