- From: White, Jason J <jjwhite@ets.org>
- Date: Mon, 17 Oct 2016 15:23:16 +0000
- To: "public-rqtf@w3.org" <public-rqtf@w3.org>
- Message-ID: <BY2PR0701MB1990A898E547EB982748BFA3ABD00@BY2PR0701MB1990.namprd07.prod.outlook.>
Dear colleagues, As documented in the Work Plan of the Research Questions Task Force, one of our first tasks is to examine issues arising from the need for accessible means of user authentication on the Web. https://www.w3.org/WAI/APA/task-forces/research-questions/wiki/Work_Plan This issue has arisen from review by the Accessible Platform Architectures Working Group of a draft of Web Authentication: an API for accessing Scoped Credentials - https://www.w3.org/TR/webauthn/ According to my reading of the specification, the proposed API supports whatever means of authentication is offered by a conforming user agent. The authenticating device (e.g., a computer with a Trusted Platform Module, an authentication token, etc.) then identifies itself in a signed attestation which is delivered to the server. Consequently, the details of how the authentication operation is performed - in particular, its user interface - lie outside the scope of the Web Authentication specification. Nevertheless, the APA Working Group may wish to offer informative guidance regarding the user requirements applicable to authentication mechanisms. It may also be necessary to include such guidance in future W3C/WAI Accessibility Guidelines or elsewhere. What combinations of authentication techniques, for example, are appropriate to accommodating a wide range of human capabilities? These may include multi-factor authentication strategies, biometrics and other mechanisms besides the conventional use of passwords. In essence, what are the user requirements here, and what approaches to authentication are sufficient to satisfy them? What research has been undertaken in this area? Comments on the substance of these questions as well as the scope of the issues to be considered are most welcome. ________________________________ This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited. Thank you for your compliance. ________________________________
Received on Monday, 17 October 2016 15:23:49 UTC