Web Authentication Level 3

Hello all,

knowing full well I'm a little late in the game, I'd like to give a small report of my findings regarding the accessibility considerations in the Web Authorization Level 3 FPWD (https://www.w3.org/TR/webauthn-3/). On the assumption that this specification would encompass not only the strictly technical aspects of authorization but also some of the user-facing aspects thereof, I had hoped to be able to contribute more than eventually turned out to be the case.

As I see it, this is a very solid API which only concerns itself with the technical aspects within its scope. Admittedly, I haven't read very many API specifications, yet I find this to have covered most relevant bases. The accessibility considerations (chapter 15), which on first read seemed a bit rudimentary, on closer inspection turn out to be almost complete considering the scope of the document.

As it is rather short, I quote the original wording in full:

"User verification-capable authenticators, whether roaming or platform, should offer users more than one user verification method. For example, both fingerprint sensing and PIN entry. This allows for fallback to other user verification means if the selected one is not working for some reason. Note that in the case of roaming authenticators, the authenticator and platform might work together to provide a user verification method such as PIN entry [FIDO-CTAP].
Relying Parties, at registration time, SHOULD provide affordances for users to complete future authorization gestures correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
Ceremonies relying on timing, e.g., a registration ceremony (see timeout) or an authentication ceremony (see timeout), ought to follow [WCAG21]'s Guideline 2.2 Enough Time. If a client platform determines that a Relying Party-supplied timeout does not appropriately adhere to the latter [WCAG21] guidelines, then the client platform MAY adjust the timeout accordingly."

The only things I can think of which isn't already in the text is a general reminder of the AGs when implementing the user-facing side of the authorization process and to future-proof it by not explicitly naming WCAG21 but rather the Web Content AccessibilitY Guidelines or some other, more general, term for the AGs.

Hence, my proposed, updated, wording would read:

"User verification-capable authenticators, whether roaming or platform, should offer users more than one user verification method (e.g., both fingerprint sensing and PIN entry). This allows for fallback to other user verification means if the selected one is not working for some reason. Note that in the case of roaming authenticators, the authenticator and platform might work together to provide a user verification method such as PIN entry [FIDO-CTAP].
Relying Parties, at registration time, SHOULD provide affordances for users to complete future authorization gestures correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
Ceremonies relying on timing, e.g., a registration ceremony (see timeout) or an authentication ceremony (see timeout), ought to follow the Enough Time guideline of the Web Content Accessibility Guidelines. If a client platform determines that a Relying Party-supplied timeout does not appropriately adhere to the latter guidelines, then the client platform MAY adjust the timeout accordingly.
It is also advised that any user-facing aspect of an authorization process follow the Web Content Accessibility Guidelines to support as wide a range of users and use cases as possible."

Any and all comments welcome.

Looking forward to today's meeting.

All the best,
Fredrik



________________________________
Mag. Fredrik Fischer, CWAE
Projekte

Hilfsgemeinschaft der Blinden und Sehschwachen Österreichs
Schlosshofer Straße 2-6, 1210 Wien
Tel.: +43 1 330 35 45 - 47
www.hilfsgemeinschaft.at
www.facebook.com/Hilfsgemeinschaft

Jetzt online spenden!
www.hilfsgemeinschaft.at/spenden
Spendenkonto: IBAN: AT56 6000 0000 0767 0000
BIC: BAWAATWW

ZVR: 075310318
Ihre personenbezogenen Daten werden von uns gespeichert und weiterverarbeitet. Ein sorgsamer und verantwortungsbewusster Umgang mit Ihren Daten ist uns wichtig. Datenschutzrechtliche Informationen über die Verarbeitung Ihrer Daten finden Sie auf unserer Website www.hilfsgemeinschaft.at/datenschutzerklaerung und unter der kostenlosen Hotline 0800 400 610.

Received on Wednesday, 26 May 2021 14:49:24 UTC