Re: Feedback on Success Criterion 2.2.6 Accessible Authentication

Hmmm, speaking again from my personal experience with recieving Google's
6 digit passcodes by telephone call ...

I find that:

1.) After entering my password, I already know from experience my
browser has moved me to the "Enter the Passcode" field. I don't do any
on screen review. Instead, I part my fingers on the number row, because
I know I'm expecting a code that's all digits.

2.) When I answer the incoming call, which invariably comes within
seconds after I've submitted my password, the readout on the phone is
slow enough that I have no problem typing the code as I hear it on the
phone, i.e. I don't need to remember anything.

Just my experience.

Janina

Milliken, Neil writes:
> Hi whilst I fully support security
> holding number sequences in working memory can be problematic. I know Mike Gower wants to know what a maximum acceptable number would be but I honestly cannot say as depending on how stressed and distracted I am I might be able to manage 2, 4 or 6 without making a mess of it.
> 
> Many people with acquired brain injuries are likely to struggle too.
> 
> This is why I sold my soul to touchID using biometrics as the 2nd factor has made my life inordinately easier.
> 
> Failing that being able to copy and paste   The number from the message is preferable to trying to remember it.
> 
> Neil Milliken BA Oxon, MBA Open, FRSA, Atos Distinguished Expert
> Head of Accessibility & Digital Inclusion
> Atos
> T: +442036180957<tel:+442036180957>
> M: 07812325386<tel:07812325386>
> E: Neil.Milliken@atos.net<mailto:Neil.Milliken@atos.net>
> www: http://atos.net/iux
> Twitter:@neilmilliken<https://twitter.com/neilmilliken>
> Assistant Monika Tomczak
> E: Monika.Tomczak@atos.net<mailto:Monika.Tomczak@atos.net>
> M: +48517727304<tel:+48517727304>
> 
> 
> On 30 Nov 2017, at 19:03, lisa.seeman <lisa.seeman@zoho.com<mailto:lisa.seeman@zoho.com>> wrote:
> 
> Hi Alister
> 
> Passwords are not conformant. They are a huge problem
> 
> However , the task force felt that coping text from the phone is often a bigger problem
> 
> 
> So solving one problem by pushing the industry towards a problem that is sometimes worse, does not not seem worth the effort.
> 
> 
> All the best
> 
> Lisa Seeman
> 
> LinkedIn<http://il.linkedin.com/in/lisaseeman/>, Twitter<https://twitter.com/SeemanLisa>
> 
> 
> 
> 
> ---- On Thu, 30 Nov 2017 19:38:37 +0200 Alastair Campbell<acampbell@nomensa.com<mailto:acampbell@nomensa.com>> wrote ----
> HI Lisa,
> 
> I don’t think we’re understanding each other, where you said:
> 
> > Multi step authentication can work with a token, Bluetooth  or RQ code, or you just have an alternative that you allow that conforms for people who can not use it.
> 
> Those are typical 2nd factors, but what is the first factor?
> 
> Going back to my previous email, the options (techniques) we have for the 2-factor scenario are:
> 
> -----------
> 2. A site that does username/password plus a second factor, such as an app that generates a 6 digit number every 30 seconds (like Google Auth).
> 
>   *   After having created a username/password, allow a ‘magic link’ email login, AND have a 2FA style login where you authenticate on a separate mobile app, or custom USB token generator.
> (Note that slack and I think Linkedin provide 2FA with a number-generator you have to copy across.)
> 
>   *   ???
> -----------
> 
> So the ‘magic link’ technique would be the first factor, and then WebAuth would be the only (feasible web) option for second factor, and that is currently Chrome-only.
> 
> 
> > The concern of the task force is that scoping out two step authentication will push sites away from using passwords towards non conformant types of multi step authentication which
> 
> Ok, now I’m confused, are passwords conformant? I thought that was the primary problem!
> 
> 
> > We require an alternative for visual capture to accommodate the blind
> 
> Yes, if someone implements a captcha they have to create an (audio) alternative, these are of the same scale of effort. We don’t ask them to setup a call-centre.
> 
> -Alastair
> 
> 
> Atos, Atos Consulting, Worldline and Canopy The Open Cloud Company are trading names used by the Atos group. The following trading entities are registered in England and Wales: Atos IT Services UK Limited (registered number 01245534), Atos Consulting Limited (registered number 04312380), Atos Worldline UK Limited (registered number 08514184) and Canopy The Open Cloud Company Limited (registration number 08011902). The registered office for each is at 4 Triton Square, Regent’s Place, London, NW1 3HG.The VAT No. for each is: GB232327983.
> 
> This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos therefore can accept no liability for any errors or their content. Although Atos endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos by email.

-- 

Janina Sajka, Phone: +1.443.300.2200
   sip:janina@asterisk.rednote.net
  Email: janina@rednote.net

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup: http://a11y.org

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Chair, Accessible Platform Architectures http://www.w3.org/wai/apa

Received on Thursday, 30 November 2017 21:47:41 UTC