Fwd: [w3c/webauthn] Request for an Accessibility Considerations section to API for Accessing Public key credentials CR (#1557)

I submitted an issue, #1557, to the API for Accessing Public Key credentials to the Web Authentication working group, https://github.com/w3c/webauthn/issues/1557#issue-799706654.

They have provided additional comments and there has already been additional discussion and a pull request on this.

Becky Gibson
Sr. Accessibility Strategist

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Co-Chair, Accessible Platform Architectures http://www.w3.org/wai/apa

> Begin forwarded message:
> From: =JeffH <notifications@github.com>
> Subject: Re: [w3c/webauthn] Request for an Accessibility Considerations section to API for Accessing Public key credentials CR (#1557)
> Date: February 3, 2021 at 8:24:11 PM EST
> To: w3c/webauthn <webauthn@noreply.github.com>
> Cc: Becky Gibson <gibson.becky@gmail.com>, Author <author@noreply.github.com>
> Reply-To: w3c/webauthn <reply+AACN4C2ZJB4HYTIQ2CFXL3F6E4W3XEVBNHHC7KUODY@reply.github.com>
> Regarding point #1 <https://github.com/w3c/webauthn/issues/1> in #1557 (comment) <https://github.com/w3c/webauthn/issues/1557#issue-799706654>: the user verification modalities that may be employed during registration or authentication ceremonies are a product of (a) the capabilities of the authenticator, and whether the Relying Party "prefers" or "requires" user verification during the operation. The relying party (i.e., web site) can require user verification to occur during registration or authentication ceremonies, but cannot directly select the user verification method employed. E.g., if the authenticator supports both fingerprint or PIN, either may be used, an[d all that is typically reported to the relying party is that user verification occurred (in the successful case).
> Thus your expressed requirement perhaps (?) can be re-expressed as:
> Users ought to have available to them on their device+authenticator(s), more than one user verification means (e.g., a PIN as well some form of biometric sensor(s)) in those cases where their device+authenticator(s) support user verification.
> Also note that WebAuthn can be used as a "second factor", i.e., typically in combination with username+password, and in those cases the user is not "verified", though a "user presence test" is employed (often asking the user to tap something (on screen, a physical button on their device or authenticator, etc). Depending on the device+authenticator(s) in play and the manifestation of the "user presence test", and the particular user's situation, there may or may not be accessibility concerns.
> However, we are unsure whether such guidance is appropriate for the WebAuthn spec itself to provide. Are there examples of other Web Platform API specs that tread into such hardware/platform-specific territory?
> Regarding point #2 <https://github.com/w3c/webauthn/pull/2>, I am finding the intent/purpose of "entering freeform text instructions" unclear?
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub <https://github.com/w3c/webauthn/issues/1557#issuecomment-772953693>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACN4C2N27CMJQTJ3LSAXPLS5HZLXANCNFSM4W7UMBTA>.

Received on Thursday, 4 February 2021 21:25:11 UTC