Hi Folks
We are trying to create guidance for authentication that works for people with disabilities including cognitive disabilities who can not remember passwords or reliably copy information.
The current proposed wording is :
Essential steps of an authentication process, which rely upon recalling or copying information, have alternative essential steps, or an authentication-credentials reset process, which do not rely upon recalling and copying information.
There is an exception for :
cases where this would go against any legislative requirements
basic identifying information that the user has easy access to, such as: name, address, email address and identification or social security number can be required.
We also allow for alternatives methods if one method can not be used by all.
see: https://github.com/w3c/wcag21/issues/23 . We also have an issue paper that discusses it at https://w3c.github.io/coga/issue-papers/privacy-security.html
Our question is are there any security reasons that would make this unreasonable from a security perspective? If there is could we set up a call (preferably this week) to discuss it?
Josh, Andrew, did I leave anything out?
All the best
Lisa Seeman
LinkedIn, Twitter
also we need to check the survey: https://www.w3.org/2002/09/wbs/35422/COGA_Auth/results (although we can disagree with them and try and convince them)
3. We need an exception for when this is not possible with current legislative requirments
4. Possible exception for coping up to four characters ? DO we see a user problem with this?
All the best
Lisa Seeman
LinkedIn, Twitter
--
Joshue O Connor
Director | InterAccess.ie