- From: Janina Sajka <janina@rednote.net>
- Date: Wed, 6 Sep 2017 08:35:26 -0400
- To: public-webauthn@w3.org, public-rqtf@w3.org, W3C WAI Accessible Platform Architectures <public-apa@w3.org>
- Cc: jfontana@yubico.com, tonynad@microsoft.com, weiler@w3.org, Michael Cooper <cooper@w3.org>, "White, Jason J" <jjwhite@ets.org>, Judy Brewer <jbrewer@w3.org>
Dear Colleagues: We are researching the accessibility impact of various authentication approaches on the web for the W3C/WAI Accessible Platform Architectures (APA) Working Group. We would appreciate your assistance in our effort specifically around the following 4 questions: 1. Which authentication mechanisms are currently attracting the greatest interest from the Web authentication community? Which methods should we prioritize our efforts in +understanding? 2. Persons with disabilities are likely to behave differently while interfacing with an authentication environment. We'd like to understand whether this might adversely impact their ability to authenticate vis a vis users without disabilities. 3. Are captchas still considered useful? Or, is their use likely to fade? 4. What emerging authentication approaches exist that do not require the user to retype strings of characters? Explanatory Details 1. Question 1--requires no explanation. 2.) For question 2, regarding behavioral analysis ... Discussion of accessibility and authentication at the TPAC meeting last year focused on the notion of a risk analysis which a Web application can undertake to determine whether to accept or decline a user's authentication attempt. The risk analysis can take into account a variety of factors in arriving at a decision to grand or deny access to a resource. We are concerned, however, that there are factors, such as the timing of a user's keystrokes, that are likely to present differently by virtue of a person's having a disability or using an assistive technology (e.g., speech recognition) that synthesizes keyboard input. Which of the possible factors, if any, should we consider in determining the potential adverse consequences of a user's having a disability (including their need for assistive technology) on the accuracy of risk analyses? 3. Captcha The APA Working Group is presently revising the W3C Working Group Note, first published in 2005, regarding accessibility issues raised by the use of CAPTCHA: https://www.w3.org/TR/turingtest/ Given the ongoing evolution of authentication technologies on the Web today, is CAPTCHA in its various forms likely to continue to be widely deployed, or should we expect it will be supplanted by the use of secure authentication mechanisms and risk analysis algorithms? If so, on what likely timeline? Furthermore, many of the cases in which CAPTCHA is used require the identity of the user to be disclosed (e.g., to create an account in a Web application). This being so, do there remain significant scenarios on the Web today in which there is a need for a genuine human interaction proof that does not also reveal the user's identity? This is a common privacy concern for many persons with disabilities who would prefer not to reveal that they are persons with disabilities. 4. Question 4--Removing the need to enter arcane text strings The Accessibility Guidelines Working Group is considering a proposal for its formal Success Criteria related to the next revision of W3C/WAI's Web Content Accessibility Guidelines (WCAG) that would favor the use of authentication mehcanisms which do not require the user to memorize or transcribe information. The objective of the proposal is to overcome accessibility barriers encountered most particularly by users with learning or cognitive disabilities in completing authentication tasks. If widely implemented on the Web, this proposal would remove a frequently relied upon authentication factor - what the user knows - from the repertoire of factors that accessibility-supportive Web site and Web application authors can depend on in the authentication process. It would also likely complicate some multi-factor authentication schemes. What are the security implications of this kind of proposal? When might we expect authentication mechanisms that satisfy this requirement (i.e., which do not rely on the user's ability to accurately memorize or transcribe information) to be available and supported by Web standards? Janina Sajka, APA Chair Dr. Jason White, APA Research Questions Task Force (RQTF) Facilitator -- Janina Sajka, Phone: +1.443.300.2200 sip:janina@asterisk.rednote.net Email: janina@rednote.net Linux Foundation Fellow Executive Chair, Accessibility Workgroup: http://a11y.org The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI) Chair, Accessible Platform Architectures http://www.w3.org/wai/apa
Received on Wednesday, 6 September 2017 12:36:17 UTC