W3C home > Mailing lists > Public > public-cognitive-a11y-tf@w3.org > November 2017

Re: Feedback on Success Criterion 2.2.6 Accessible Authentication

From: Janina Sajka <janina@rednote.net>
Date: Thu, 30 Nov 2017 16:41:28 -0500
To: "lisa.seeman" <lisa.seeman@zoho.com>
Cc: Alastair Campbell <acampbell@nomensa.com>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>, public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Message-ID: <20171130214128.GA31287@rednote.net>
I would like to note that copying a code sent via SMS is usually an
option, and not the ONLY way to recieve the required code. In my case I
my dual-factor configuration defaults set to asking for a phone call where the code is read out twice by
the automated TTS. In my configuration SMS is a fallback.

Just noting for the record,

Janina



Lisa Seeman writes:
> Hi Folks
> 
> 
> I asked the coga task force about limiting the scope single-factor authentication process.
> 
> 
>  It was unanimously rejected as in everyone's experience on the call,  coping the number from an SMS is harder then using passwords, and this would push websites towards less accessible authentication. Hence it does not benefit the user.
> 
> 
> our proposal is to ask that we we have the current wording and it is labeled at risk with a note that it may be moved to AAA
> 
> 
> 
> 
> Lisa Seeman
> 
> LinkedIn, Twitter
> 
> 
> 
> 
> 
> ---- On Thu, 30 Nov 2017 11:14:35 +0200 Alastair Campbell&lt;acampbell@nomensa.com&gt; wrote ---- 
> 
>       HI Lisa,
>   
>  If there is a practical way to have two-factor/step auth that doesn’t require typing in numbers/characters I’m all ears, but if there is not a reasonable way to do it, it doesn’t make sense to try and require it.
>   
>  I suggest that the best-practices doc (which I’d like to help with) recommends having long times between authentications. E.g. On Lastpass I can tick a box for ‘remember me for 30 days’, so I don’t have to use the 2FA numbers for a month.
>   
>  Cheers,
>   
>  -Alastair
>   
>   
>   From: "lisa.seeman" 
>  
>    
>  
>   Hi Alistair 
>    
>  
>   I like the limitation to  re-authentication. That makes sense to me
>  
>   Limiting  it to single step may be a compromise we have to make but it is a problem.
>   All the best
>  
>  Lisa Seeman
>  
>  LinkedIn, Twitter
>  
>  
>  
>   
>    
>  ---- On Wed, 29 Nov 2017 15:26:54 +0200 Alastair Campbell&lt;acampbell@nomensa.com&gt; wrote ---- 
>  
>     Hi Lisa,
>   
>  Sorry for the long email, skip to the end to see the resulting language. Details between here and there…
>   
>   
>   &gt; An  email reset loop is ok. 
>   
>  I’m not sure how a typical email reset-loop would be ok, the steps are usually:
>    Click on ‘forgotten password’
>  Put in your email address.
>  Receive a link through email, select it
>  Put in a new password, twice. Next.
>  On the login page, enter your username/email, and password to login.
>   
>  That means you have to remember/copy/transcribe the password from one page to the next.
>   
>  However, I’ll drop this one as there do appear to be common libraries/methods for doing direct-login from an email link.
>  E.g. https://www.drupal.org/project/email_auto_login
>  https://wordpress.org/plugins/wp-email-login/ 
>  https://stackoverflow.com/questions/37332190/django-login-with-email 
>   
>  That helps in the single-factor case.
>   
>   
>  &gt; Other example of cheap  methods is "login in via Facebook". 
>   
>  As you say, some won’t like (or cannot use) a 3rd party login, but it’s a useful extra.
>   
>   
>  &gt; Facebook itself is conformant as it allows you to login via your profile picture (you click on your picture instead of typing in a password.) 
>   
>  That’s true once you’ve logged in with a username/password, but not if you have a fresh browser / different computer.
>   
>  Again: Does the site have to comply all the time?  They do not now, and possibly cannot.
>  
>    
>   
>  
>   &gt; A site can have two step authentication with coping a number from an SMS so long as they allow a reset or other conformant mechanism as well. 
>   
>  How does a reset help? If you reset a password, you still have to put in the number from the 2FA whether it is SMS or app based.
>  Do you mean turning off 2FA?
>   
>   
>  
>   &gt; Note  as the National Institute for Standards and Technology (NIST) in July 2016 warned against using the plane text-message-based two-factor 
>   
>  Yep, I noted that before as well, we shouldn’t use SMS as a technique, not that it would be conformant anyway.
>   
>   
>  
>   &gt; Some sites use an RC code generator. 
>   
>  Random code? Do you mean a QR code generator? 
>   
>   
>  &gt; That seems more secure then two step authentication, is completely compliant and can be done for free. 
>   
>  I think you are confusing authentication with re-authentication. I.e. if you have already logged in (probably with a password), then you can re-authenticate with an easier / less secure method.
>   
>  Also, can you point to a service that provides this? (I’ve googled for RC and QR codes for login but can’t find anything useful.)
>   
>   
>  &gt; RC scans are used by plannerinclusion
>   
>  Great, but I can’t find plannerinclusion to see what you mean, is that the right spelling?
>   
>  What I’m trying to work out is if it is something available for free, or as a service, or you have to implement it yourself.
>   
>  
>    
>  
>   &gt; Also the FIDO key can be at the users expense. 
>   
>  Yep, I’ve read up on how it works. When it is better supported it would be a good mechanism for single-factor auth.
>   
>  However, it will only help in the single factor case, as from (the link you provided to) MS’s FIDO implementation says:
>   
>  “The Web Authentication specification defines two authentication scenarios: passwordless and two factor. In the passwordless case, the user does not need to log into the web page using a user name or password – they can login solely using Windows Hello. In the two factor case, the user logs in normally using a username and password, but Windows Hello is used as a second factor check to make the overall authentication stronger.”
>   
>  I.e. when you have 2-factor on, there is not a password-less mechanism because FIDO/WebAuth is the second factor.
>   
>   
>  
>   &gt; Also firefox seem to be quite advanced in their webauth implementation… Do you know the source is for saying it only works in chrome? 
>   
>  Yep, the usual source of browser support facts: https://caniuse.com/#search=fido 
>   
>  I’m sure Firefox and Edge will, as Mozilla and Microsoft have editors on the spec. But then the question is when, it is not planned before version 60 of Firefox, eta after WCAG 2.1.
>   
>   
>  
>   &gt;  If not can you think of an exception that would help?
>  
>    
>  Yes, but not sure how much it helps overall, bolding additions/changes:
>   
>  --------------
>  Essential steps of a single-factor re-authentication process which relies on recalling or transcribing information has one of the following:
>   
>    alternative essential steps, which do not rely upon recalling or transcribing information.
>  an authentication-credentials reset process, which does not rely upon recalling or transcribing information
>   
>  Except that the authentication process can rely on the user inputting basic personal information such as name, address, email address or national identification number.
>   
>  Unless there are legal requirements for a recall or transcribe method of authentication.
>   
>  --------------
>   
>  Not perfect, but do you see where I’m going with it?
>   
>  I was also trying to remove the hole where anything involving a name / email address was totally exempt.
>   
>  -Alastair
>   
>  
>  
>  
>    
>  
>   
>  
>  
>  
>  
> 
> 
> 
> 

-- 

Janina Sajka,	Phone:	+1.443.300.2200
			sip:janina@asterisk.rednote.net
		Email:	janina@rednote.net

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup:	http://a11y.org

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Chair, Accessible Platform Architectures	http://www.w3.org/wai/apa
Received on Thursday, 30 November 2017 21:41:58 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:00 UTC