- From: Al Gilman <Alfred.S.Gilman@IEEE.org>
- Date: Wed, 6 Feb 2008 13:03:16 -0500
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: public-usable-authentication@w3.org, wai-liaison@w3.org
On 25 Jan 2008, at 9:05 AM, Mary Ellen Zurko wrote: > > Hi Al, > > We've got another issue in wsc-xit that we could use some WAI help > with. > http://www.w3.org/2006/WSC/track/issues/125 > > We're addressing some issues around "shoulder surfing" in one of > our recommendations. > http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask > > Right now, it's totally phrased in terms of visuals. We need to > know what the current functionality in screen readers and other > assistive technology is when it deals with passwords or other > strings that are generally masked on input. Can someone give us a > quick tutorial or some pointers? Thanks for your time and help. Hi, MEZ: My colleagues have given me a quick refresher. http://lists.w3.org/Archives/Member/w3c-wai-pf/2008JanMar/ thread.html#msg81 A summary of the feedback so far is that: (a) the behavior recommended by the blind community is that the characters / keystrokes of password entry are not echoed in the screen reader audio just as they are not echoed on the screen. (b) by now, this recommended behavior is by and large the actual user experience, when dealing with Operating System widgets or Web forms through a screen reader. Earlier, the keystrokes were echoed from the keyboard interface without regard for the security significance of the field being entered. But the users complained, because a blind user can even less tell who is listening than the sighted user will notice who is watching. caveat: This does not address the barriers to use by people with dyslexia and cognitive disabilities that are raised by username:password as the authorization dialog. Working around that barrier may involve substituting authentication mechanisms at a higher level than just non-echo of the password field in a username:password pair. This does not necessarily involve introducing any new access control techniques into practice, but rather opening up web applications to higher-security options that are more forgiving of human conditions where the standard technique raises barriers. Examples could be password-generating devices for the dyslexic and biometric authentication for the severely learning disabled. Al > Mez > > >
Received on Wednesday, 6 February 2008 18:03:55 UTC