Re: [webauthn] Request for an Accessibility Considerations section to API for Accessing Public key credentials CR (#1557) from =JeffH via GitHub on 2021-02-04 (public-webauthn@w3.org from February 2021)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Thu, 04 Feb 2021 01:23:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-772953693-1612401836-sysbot+gh@w3.org>

Regarding point #1 in https://github.com/w3c/webauthn/issues/1557#issue-799706654: the user verification modalities that may be employed during registration or authentication ceremonies are a product of (a) the capabilities of the authenticator, and whether the Relying Party "prefers" or "requires" user verification during the operation.  The relying party (i.e., web site) can require user verification to occur during registration or authentication ceremonies, but cannot directly select the user verification method employed.  E.g., if the authenticator supports both fingerprint or PIN, either may be used, an[d all that is typically reported to the relying party is that user verification occurred (in the successful case).

Thus your expressed requirement perhaps (?) can be re-expressed as:
> Users ought to have available to them on their device+authenticator(s), more than one user verification means (e.g., a PIN as well some form of biometric sensor(s)) in those cases where their device+authenticator(s) support user verification.

Also note that WebAuthn can be used as a "second factor", i.e., typically in combination with username+password, and in those cases the user is not "verified", though a "user presence test" is employed (often asking the user to tap something (on screen, a physical button on their device or authenticator, etc).  Depending on the device+authenticator(s) in play and the manifestation of the "user presence test", and the particular user's situation, there may or may not be accessibility concerns. 

However, we are unsure whether such guidance is appropriate for the WebAuthn spec itself to provide.  Are there examples of other Web Platform API specs that tread into such hardware/platform-specific territory?

Regarding point #2, I am finding the intent/purpose of "entering freeform text instructions" unclear?



-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1557#issuecomment-772953693 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 4 February 2021 01:24:00 UTC