RE: For Review: Accessible Authentication SC

Hi Alistair and group 

I've put together some information around the authentication requirements for payment services in the EU and UK. Note, these currently apply to financial services but are being rolled out to all e-commerce providers. This includes some examples of how the same authentication method could pass or fail the success criteria based on its implementation.

As there are some questions that I felt would be better to get feedback on from the COGA group before wider dissemination I've done this as a google doc:

https://docs.google.com/document/d/19uiujyu4rGiCN8USD8XOYPfea3ps_EVW6JBwcWE_LvI/edit?usp=sharing 

Regards

Abi 

-----Original Message-----
From: Alastair Campbell <acampbell@nomensa.com> 
Sent: 23 June 2021 14:56
To: public-cognitive-a11y-tf@w3.org; Abi James <A.James@soton.ac.uk>
Subject: RE: For Review: Accessible Authentication SC

CAUTION: This e-mail originated outside the University of Southampton.

Hi everyone,

I've put in a proposed response for this issue:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F1890&amp;data=04%7C01%7CA.James%40soton.ac.uk%7C3f7236938a1641ddc96c08d9364ea8fd%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637600533735537495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UBD9zO8lOdcU9mE%2BXr6GH91Zd2pIQgLIjB7oOlEU6o8%3D&amp;reserved=0


There is a missing piece though, which is what an example of a " perception-processing limitation" would be. Any ideas for that?

Regarding Abi's concerns about security and financial services, I think that is very important to tackle. I know of several organisations ignoring Input Purpose due to security concerns.

For time-outs, I suggested in this response that security would come under the 'essential exception':
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F1885%23issuecomment-866381495&amp;data=04%7C01%7CA.James%40soton.ac.uk%7C3f7236938a1641ddc96c08d9364ea8fd%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637600533735537495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=La3hPkINOO7hVUhu1sU1XdY68E7I4Cf9PbU1wge8oSc%3D&amp;reserved=0


Abi, do you have any more information on the scenarios where organisations would struggle?
My bank app uses face-ID, which is fine. Logging in on the website still uses the "pick 3 letters from your passphrase" approach that has been in place since the 2000s.

If it allowed for a Yubikey (style thing), or used MS authenticator app, or their own app, that would be ok from an SC point of view. Do you know if there is a reason they cannot use an approach like that? Do you know anyone who might enter into discussion with us about these aspects?

Kind regards,

-Alastair


-----Original Message-----
From: Abi James <A.James@soton.ac.uk>
Sent: 16 June 2021 12:36
To: Steve Lee <stevelee@w3.org>
Cc: public-cognitive-a11y-tf@w3.org
Subject: Re: For Review: Accessible Authentication SC

Hi all

I  wanted to raise from my day job in the financial services that there are a lot of concerns around this SC. Europe and the UK have laws specifying 2 levels of authentication which must be different types for certain digital financial tasks. We are working through aligning these but there is push back as it significantly reduces authentication options. There can also be requirements for time limitations on methods. It would be useful for the understanding document to include some of these examples. Without these financial services and banks are likely to not implement this SC due to security and regulatory requirements.

I will try to join tomorrow’s call but it may be worth having a separate discussion as this is wider than COGA requirements.

Abi

Sent from my iPhone

> On 16 Jun 2021, at 12:20, Steve Lee <stevelee@w3.org> wrote:
>
> CAUTION: This e-mail originated outside the University of Southampton.
>
> A quick question as I get ready for holiday:
>
> Is it a cognitive test to have to enter a password when you cannot see 
> the characters as you type them? I've been hearing from dyslexic 
> people that they want to see the letters they have entered.
>
> I'm not convinced there is always a strong security benefit to having 
> them obscured, at least not when alone at a device. Should a view 
> option always be available?
>
> I'll leave you all with that thought :)
>
> Steve
>
>> On 16/06/2021 11:43, Rochford, John wrote:
>> Hi Lisa, Rain, and All,
>>
>> Alastair has asked us to review our Accessible Authentication SC.
>>
>> See this GitHub repository specifically for our commentary 
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Flabels%2FCOGA&amp;data=04%7C01%7CA.James%40soton.ac.uk%7C3f7236938a1641ddc96c08d9364ea8fd%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637600533735537495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=%2B95%2Boib4bAQKIa9XZpFA2P84sU6BlpvY0x%2F%2Ft5lPUNA%3D&amp;reserved=0>.
>>
>> I plan to discuss this during Thursday’s call and get consensus about 
>> what we want to say.
>>
>> Reference: Accessible Authentication SC 
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23accessible-authentication&amp;data=04%7C01%7CA.James%40soton.ac.uk%7C3f7236938a1641ddc96c08d9364ea8fd%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637600533735537495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=xJAyfVQH3UeYZ5iVDle2nrOSAa3fULvMWQ3EUBTmG8E%3D&amp;reserved=0>.
>>
>> Has links to Understanding and How To Meet docs.
>>
>> Lisa and/or Rain: Would you please add this to the agenda? Thank you.
>>
>> John
>>
>> John Rochford
>>
>> University of Massachusetts Medical School
>>
>> Eunice Kennedy Shriver Center
>> Director, INDEX Program
>> Faculty, Family Medicine & Community Health About Me 
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjo

>> hnrochford.com%2F%3Fpromo%3Demail_sig%26utm_source%3Dproduct%26utm_me
>> dium%3Demail_sig%26utm_campaign%3Dedit_panel%26utm_content%3Dplaintex
>> t&amp;data=04%7C01%7Ca.james%40soton.ac.uk%7C099384ce328a43403d3e08d9
>> 30b8b9eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637594392225337
>> 743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>> iI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=J5f%2BCmQIVZ36Jlng8YC2jRJk
>> %2BQRrjyIMPhaIU1yHLME%3D&amp;reserved=0>
>>
>> EasyText.AI
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fea

>> sytext.ai%2F&amp;data=04%7C01%7Ca.james%40soton.ac.uk%7C099384ce328a4
>> 3403d3e08d930b8b9eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C6375
>> 94392225337743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
>> luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ifPDSPc07055wEn
>> 7A5DycKqIezJWp4UWffwh3SIXp7Q%3D&amp;reserved=0>
>>
>> Schedule a meeting with me.
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbit

>> .ly%2FCallJR&amp;data=04%7C01%7Ca.james%40soton.ac.uk%7C099384ce328a4
>> 3403d3e08d930b8b9eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C6375
>> 94392225337743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
>> luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=wrzLwB57EPKNxvG
>> 0dTodbvnuWzayoq%2BlCDKfWxyjspY%3D&amp;reserved=0>
>>
>> /_Confidentiality Notice:_//__/
>>
>> /This e-mail message, including any attachments, is for the sole use 
>> of the intended recipient(s) and may contain confidential, 
>> proprietary, and privileged information. Any unauthorized review, 
>> use, disclosure, or distribution is prohibited. If you are not the 
>> intended recipient, please contact the sender immediately and destroy 
>> or permanently delete all copies of the original message./
>>
>

Received on Saturday, 26 June 2021 15:59:09 UTC