Re: Feedback on Success Criterion 2.2.6 Accessible Authentication

Hi Alister

Passwords are not conformant. They are a huge problem


However , the task force felt that coping text from the phone is often a bigger problem




So solving one problem by pushing the industry towards a problem that is sometimes worse, does not not seem worth the effort.


All the best

Lisa Seeman

LinkedIn, Twitter





---- On Thu, 30 Nov 2017 19:38:37 +0200 Alastair Campbell<acampbell@nomensa.com> wrote ---- 

      HI Lisa,
  
 I don’t think we’re understanding each other, where you said:
  
 > Multi step authentication can work with a token, Bluetooth  or RQ code, or you just have an alternative that you allow that conforms for people who can not use it. 
   
 Those are typical 2nd factors, but what is the first factor?
  
 Going back to my previous email, the options (techniques) we have for the 2-factor scenario are:
  
 -----------
 2. A site that does username/password plus a second factor, such as an app that generates a 6 digit number every 30 seconds (like Google Auth).
  After having created a username/password, allow a ‘magic link’ email login, AND have a 2FA style login where you authenticate on a separate mobile app, or custom USB token generator. 
 (Note that slack and I think Linkedin provide 2FA with a number-generator you have to copy across.)
 
 
???
 -----------
 
     
 So the ‘magic link’ technique would be the first factor, and then WebAuth would be the only (feasible web) option for second factor, and that is currently Chrome-only.
  
  
 > The concern of the task force is that scoping out two step authentication will push sites away from using passwords towards non conformant types of multi step authentication which
  
 Ok, now I’m confused, are passwords conformant? I thought that was the primary problem!
  
  
 > We require an alternative for visual capture to accommodate the blind
  
 Yes, if someone implements a captcha they have to create an (audio) alternative, these are of the same scale of effort. We don’t ask them to setup a call-centre. 
  
 -Alastair
 
 
 
 
 

Received on Thursday, 30 November 2017 19:02:35 UTC