RE: Argument to revert my "User authentication methods" success criteria to the pre-5th Sept COGA call version (with a small mod) from Michael Pluke on 2016-09-14 (public-cognitive-a11y-tf@w3.org from September 2016)

From: Michael Pluke <Mike.Pluke@castle-consult.com>
Date: Wed, 14 Sep 2016 16:37:42 +0000
To: Thad C <inclusivethinking@gmail.com>
CC: public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Message-ID: <A48C91EB13E45544B16FBC94C9298D8D3335CD67@S11MAILD013N2.sh11.lan>
Hi Thad

Some nice sources - and we hope that reliance on passwords will begin to disappear. However, all user authentication methods rely on one or more of the following:


-          Something you know;

-          Something you have;

-          Something you are.

Most of the things that are problematic from a cognitive accessibility viewpoint, and the focus of the proposed success criterion, fall into the first category. This has been the most relied on method because it only relies on human memory and requires no additional hardware or services. The aim of the success criterion was to say that there shouldn't be user authentication that relies on those aspects of human cognition that are weak for all and that tend to weaken or disappear for people with various forms of cognitive disability. Both the default user authentication method and the alternative could exploit different aspects of this space but it would not be possible to guarantee that all users would be able to use either the default or alternative method - but it should be possible to choose an alternative method that is fairly robust to most forms of cognitive disability.

The problem with "something you have" being the alternative method is that we can be certain that a significant number of people will not have what is required (a device or a subscription to a 3rd party service). A well-known problem with actual physical fobs etc. is that people sometimes forget them (even forgetting their phones) - and probably people with cognitive disabilities are likely to be worse in that respect.

What you are is largely biometrics. All the examples that appear in your and other sources require some additional hardware to help you to prove who you are e.g. a fingerprint reader, a camera that meets a minimum specification, etc. Some people will simply not have access to devices that have the necessary hardware and software and others may not have that available in some contexts (e.g. using a public computer).

Your second source listed "ubiquity" as an essential part of any user authentication technology. In my view basing the alternative (safety net) method of user authentication on something that we can be certain is far from ubiquitous means that it is not an effective alternative. There is really nothing in the "something you have" category that is ubiquitous. Because the ability to sense what you are via biometrics requires special hardware and software, this common version of the  "something you are" category is also not ubiquitous.

Best regards

Mike

From: Thad C [mailto:inclusivethinking@gmail.com]
Sent: 14 September 2016 15:21
To: Michael Pluke <Mike.Pluke@castle-consult.com>
Cc: public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Subject: Re: Argument to revert my "User authentication methods" success criteria to the pre-5th Sept COGA call version (with a small mod)


Good Morning,

I don't know if this information will hurt or help your conversations. I am very connected to user authentication on a day to day basis. Here are discussions people in the industry are having about the decline in the useage of passwords

https://medium.com/@ninjudd/lets-boycott-passwords-680d97eddb01#.pl7xr0ene

http://newatlas.com/three-alternatives-passwords/31695/

It is also common to use a FOB and a product sure a Google Authenticator.

Again not sure if this will help you but wanted to pass it along.

Thaddeus
During the 5th September COGA call Lisa, Steve Lee and myself considered my draft SC on "User authentication methods" (below) and discussed and agreed some changes. At the time I was persuaded, but on reflection I believe that, with the exception of the item mentioned at the very end of this (long) email, the changes we agreed wreck the SC and, in my opinion, make it unacceptable (probably even for AAA)!

Original SC (with rationalizations for each bullet in square brackets following the bullet):
TITLE: User authentication methods

At least one user authentication method is offered that does not rely on a user's ability to:
- memorize character strings or; [a frequently used mechanism i.e. usernames and passwords. - the ability to perform this is something that will diminish with even the mildest cognitive decline due to ageing]
- correctly identify and enter numbered characters from a character string or; [this was probably not well worded, but was aimed at the very common and complex method that says "enter the third, seventh and ninth characters of your passphrase" - such a task involves multiple cognitive skills - memory, recall from long-term memory, sequential counting, holding the result of each sub-task in short term memory, retrieving the multiple sub-task results from short term memory and accurately entering them into the system!!!]
- perform calculations or; [self-explanatory]
- speak or; [aimed at speech recognition based authentication that will fail if the user is unable to speak the required word in a consistent way - i.e. where the current state of their cognitive disability has a significant impact on the quality of their speech - or could result in an inability to speak]
- reliably produce gestures or; [this involves a mixture of cognitive and physical skills i.e. drawing a pattern (e.g. on a touchpad) that acts as the person's unique security pattern, memorizing what the pattern was, recalling what the pattern was with sufficient accuracy, accurately reproducing that pattern in a drawing gesture]
- recognise characters presented on screen and then enter them into an input field. [e.g .CAPTCHA - this involves, at least, a level of reading skill to correctly recognise the characters so that they can be entered].

Exception: A user identification method that relies on one of the above abilities can be the only method if that ability is essential to make effective use of the content accessed via the user authentication method.

Lisa's suggested that the bullets should be changed to (with critiques of each bullet in square brackets following the bullet):
-memorize information such as characters, words, numbers or gestures or; [In the chat we also added pictures. This bullet rules out all mechanisms that rely on ANY memorization]
-correctly identify information such as characters, words, numbers or gestures or; [this rules out all methods that expects the user to comprehend ANY type of content]
-correctly copy information such as characters, words, numbers or gestures or; [this rules out all methods involving copying ANY type of presented information (correctly)]
-reliably produce information from memory [this rules all methods that rely on memory recall of ANY type of information]
-perform calculations or complex cognitive function [this rules out all methods that expects the user to process information in ANY way (depending on the interpretation of "complex cognitive function" i.e. it rules out the use of executive functions including working memory]
-speak [as above]

Taken as a set, the above bullets manage to exclude pretty much every type of cognitive functioning e.g. no memorizing, no recall, no comprehension, no executive functions. In the call we agreed that the only methods that would meet the criteria were biometric methods or methods that permitted access from a trusted device (that would still require a device-level user authentication). Subsequently Steve Lee (who was on the call) suggested that single sign on solutions and social logins such as via Facebook.

The problem is that none of these can be the "at least one other method".

Biometrics fails at the first hurdle as it is widely accepted that there should always be a non-biometric alternative to biometric user authentication mechanisms (as biometric methods will not work for some users because they have a disability that prevents them from using the method e.g. no hands, damaged iris, etc.), because the user has not setup the biometric functions, or because the device does not support the relevant biometric method.

The other two methods (and biometrics) badly fail one of the key factors that SCs (at least those at levels A or AA) would be expected to conform to:

" whether it is possible to satisfy the Success Criterion for all Web sites and types of content that the Success Criteria would apply to (e.g., different topics, types of content, types of Web technology)"

It is not acceptable to have a trusted device as the "at least one other method" as even users that have a suitable device will sometimes need to authenticate from other devices. SSO and social logins would not be acceptable as being the "at least one other method" as whichever method was offered as this alternative method would not be usable by anyone except those that were using the correct SSO solution (i.e. offering Facebook would not work for me as I avoid it with a passion).

CONCLUSION
So I propose that I leave the SC with my original wording with the exception of the 2nd bullet. Here, the suggestion during the call of "processing presented or memorised information" instead of my poorly worded 2nd bullet works OK for me.

Best regards

Mike


________________________________
Received on Wednesday, 14 September 2016 16:38:14 UTC