Authentication questions

Thanks to Janina for revising the draft Authentication Questions in view of Task Force discussions. Please review the following prior to the meeting tomorrow. The agenda will be circulated shortly.


<begin draft>

Dear Colleagues:



We are researching accessibility impact of various authentication approaches on the web for the W3C/WAI Accessible Platform Architectures

(APA) Working Group.  We would appreciate your assistance in our effort specifically around the following questions:



We've attempted to pose our questions succinctly first, then to follow up with greater detail below.



Short Form Questions



1. Can you please help us identify and prioritize the authentication mechanisms which are currently attracting the greatest interest from the Web authentication community? This will help us prioritize our efforts.



2. Persons with disabilities are likely to behave differently while interfacing with an authentication environment. We'd like to understand whether this might adversely impact their ability to authenticate vis a vis users without disabilities.



3. Are captchas still considered useful? Or, is their use likely to fade?



4.) Are there promising authentication approaches that do not require the user to retype strings of chars?



Explanatory Details



1. Question 1--requires no explanation.



2.)          For question 2, regarding behavioral analysis ...



Discussion of accessibility and authentication at the TPAC meeting last year focused on the notion of a risk analysis which a Web application can undertake to determine whether to accept or decline a user's authentication attempt. The risk analysis can take into account a variety of factors in arriving at a decision to grand or deny access to a resource.  We are concerned, however, that there are factors, such as the timing of a user's keystrokes, that are likely to present differently by virtue of a person's having a disability or using an assistive technology (e.g., speech

recognition) that synthesizes keyboard input.  Which of the possible factors, if any, should we consider in determining the potential adverse consequences of a user's having a disability (including their need for assistive

technology) on the accuracy of risk analyses?



3. Captcha



The APA Working Group is presently revising the W3C Working Group Note, first published in 2005, regarding accessibility issues raised by the use of CAPTCHA:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fturingtest%2F&data=02%7C01%7Cjjwhite%40ets.org%7C7fd73fd8d0eb4835482208d4e39dd736%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636383714506961393&sdata=CR4sQa25VS2rdO%2F%2BzEP49bG5hZjYmRcJ9wWZDAcSqIk%3D&reserved=0



Given the ongoing evolution of authentication technologies on the Web today, is CAPTCHA in its various forms likely to continue to be widely deployed, or should we expect it will be supplanted by the use of secure authentication mechanisms and risk analysis algorithms? If so, on what likely timeline?



Furthermore, many of the cases in which CAPTCHA is used require the identity of the user to be disclosed (e.g., to create an account in a Web application).

This being so, do there remain significant scenarios on the Web today in which there is a need for a genuine human interaction proof that does not also reveal the user's identity? This is a common privacy concern for many persons with disabilities who would prefer not to reveal that they are persons with disabilities.



4. Question 4--Removing the need to enter arcane text strings



The Accessibility Guidelines Working Group is considering a proposal for its formal Success Criteria related to the next revision of W3C/WAI's Web Content Accessibility Guidelines (WCAG) that would favor the use of authentication mehcanisms which do not require the user to memorize or transcribe information.



The objective of the proposal is to overcome accessibility barriers encountered most particularly by users with learning or cognitive disabilities in completing authentication tasks. If widely implemented on the Web, this proposal would remove a frequently relied upon authentication factor - what the user knows - from the repertoire of factors that accessibility-supportive Web site and Web application authors can depend on in the authentication process. It would also likely complicate some multi-factor authentication schemes.



What are the security implications of this kind of proposal?  When might we expect authentication mechanisms that satisfy this requirement (i.e., which do not rely on the user's ability to accurately memorize or transcribe information) to be available and supported by Web standards?


<end draft>


________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________

Received on Tuesday, 15 August 2017 14:18:51 UTC