W3C home > Mailing lists > Public > public-cognitive-a11y-tf@w3.org > December 2017

RE: Feedback on Success Criterion 2.2.6 Accessible Authentication

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Fri, 01 Dec 2017 09:48:12 +0200
To: Alastair Campbell <acampbell@nomensa.com>
Cc: "Janina Sajka" <janina@rednote.net>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>, "public-cognitive-a11y-tf" <public-cognitive-a11y-tf@w3.org>
Message-Id: <160110a3c19.b3ded1c932775.1084522501966843545@zoho.com>
Hi Alastair

Password managers are a real help but haven't yet solved it. Writing down a paper your one password is very risky. People do it, but it means a care giver , plummer , delivery person can access it, or , depending on where people keep the paper, anyone can access it if they call you on skypy or can access your webcam.  
Also things often go wrong at this point such as you upgrade your browser and your password manager doesn't work,  or the site updates it's interface. It is also hard for our usergroups to know which password managers are trustworthy. 
However if we have solutions that solve all these problems, then supporting these user agents  can become techniques, and this SC becomes really easy to conform to. Maybe a possible technique would be  that a site that recommends a few password managers, some of which support a compliant  logging  alternative such as biometrics or usb,  that can be used across devices,  and  the site guarantees changes of interface will remain compatible. We would have to look into it more, but something along though line.


I have no problem with coming out with techniques that make it easier.

All the best

Lisa Seeman

LinkedIn, Twitter





---- On Fri, 01 Dec 2017 01:52:23 +0200 Alastair Campbell&lt;acampbell@nomensa.com&gt; wrote ---- 

Janina wrote: 
&gt; I would like to note that copying a code sent via SMS is usually an option... where the code is read out twice by the automated 
 
Steve wrote: 
&gt; but just so you are aware, there have been devices out there doing this without transcription for some time, 
&gt; e.g. https://www.yubico.com/... 
 
No one is disputing there are many 2nd factor options (which can be 1st factor re-authentication), but as I outlined before [1] they are either: 
 
- Expensive to implement (as a website owner you have to buy into a service, or implement the backend for it) 
- Reliant on WebAuth, which is a good solution, but chrome-only at the moment. 
 
John wrote: 
&gt; some of these tools also assist and manage the storing of passwords ... the point being that we cannot and should not put all of the heavy lifting on the content developers, as content alone cannot solve all problems. 
 
This is a good point, I'm not sure why that hasn't factored in to the discussion more. I use a password manager, so I only need to remember 1 password (which could be written down on paper), and I only need to use it about every 30 days. It is easier and more secure than any alternative I have come across for day to day authentication on the web. 
 
 Kind regards, 
 
-Alastair 
 
1] https://lists.w3.org/Archives/Public/w3c-wai-gl/2017OctDec/0722.html 
 
 
Received on Friday, 1 December 2017 07:48:45 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:00 UTC