Re: SC #23, please vote

Hi John,

I am somewhat unclear what you are proposing here. I support splitting out
a potential new SC that addressed issues around CAPTCHA (+1 for that),
however I am troubled by the second clause "Add specs from Web
Authentication: An API for accessing Scoped Credentials."

What does this mean?

As I review that W3C Specification (W3C Status unclear, as it "lives" in
TR, but is marked "Working Draft") it is very much about a User Agent
requirement:

*This specification defines criteria for a Conforming User Agent
<https://www.w3.org/TR/webauthn/#conforming-user-agent>**: A User Agent
MUST behave as described in this specification in order to be considered
conformant*. - https://www.w3.org/TR/webauthn/#conformance

What, specifically, is the Content author supposed to do to successfully
meet a WCAG SC around this? As a site developer, I cannot "mandate" that a
user MUST use "Browser X"
​ or "User-Agent Y"​
. Additionally, some of the scenarios outlined in that spec appear
troubling to me from the perspective of other disability user-groups. For
example:

1.1.2. AuthenticationOn a laptop or desktop:


   - User navigates to example.com in a browser, sees an option to "Sign in
   with your phone."
   - User chooses this option and gets a message from the browser, "Please
   complete this action on your phone."

Next, on their phone:


   - User sees a discrete prompt or notification, "Sign in to example.com."
   - User selects this prompt / notification.
   - User is shown a list of their example.com identities, e.g., "Sign in
   as Alice / Sign in as Bob."
   - User picks an identity, is prompted for an authorization gesture
   <https://www.w3.org/TR/webauthn/#authorization-gesture> (PIN, biometric,
   etc.) and provides this.

Now, back on the laptop:


   - Web page shows that the selected user is signed-in, and navigates to
   the signed-in page.
   ​​


​Wow.​ I can envision this being difficult for users not only with
cognitive issues (switching back and forth between devices), but also for
those with mobility issues (who may not be able to actually interact with
"a phone"). Now I recognize that this is but one scenario, however it also
seems to introduce as many issues as it purports to resolve. Am I missing
something?

Finally, since this *IS* a browser API, is that not out-of-scope for WCAG,
which is supposed to be about "content" and not user-agent requirements?
Hopefully you can expand on this to help me better understand.

Thanks in advance.

JF


<https://www.w3.org/TR/webauthn/#usecase-authentication>

On Mon, Feb 6, 2017 at 10:03 AM, Rochford, John <john.rochford@umassmed.edu>
wrote:

> Hi All,
>
>
>
> Please vote +1 or -1 to incorporate, into the next version of the Accessible
> Authentication SC # 23 <https://github.com/w3c/wcag21/issues/23>, the
> following constructive criticism.
>
>
>
>    1. Split CAPTCHA and related references to a separate SC.
>    2. Add specs from Web Authentication: An API for accessing Scoped
>    Credentials <https://www.w3.org/TR/webauthn/>.
>
>
>
> Thank you.
>
>
>
> John
>
>
>
> John Rochford <http://bit.ly/profile-rj>
> UMass Medical School/E.K. Shriver Center
> Director, INDEX Program
> Instructor, Family Medicine & Community Health
> www.DisabilityInfo.org
> Twitter: @ClearHelper <https://twitter.com/clearhelper>
>
>
>
> *Confidentiality Notice:*
>
> *This e-mail message, including any attachments, is for the sole use of
> the intended recipient(s) and may contain confidential, proprietary, and
> privileged information. Any unauthorized review, use, disclosure, or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender immediately and destroy or permanently delete all copies
> of the original message.*
>
>
>



-- 
John Foliot
Principal Accessibility Strategist
Deque Systems Inc.
john.foliot@deque.com

Advancing the mission of digital accessibility and inclusion