Re: Next steps for accessible authentication from lisa.seeman on 2017-06-19 (w3c-wai-gl@w3.org from April to June 2017)

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Mon, 19 Jun 2017 20:29:52 +0300
To: Alastair Campbell <acampbell@nomensa.com>
Cc: "public-cognitive-a11y-tf@w3.org" <public-cognitive-a11y-tf@w3.org>, "WCAG" <w3c-wai-gl@w3.org>
Message-Id: <15cc1657362.c639cd9424117.3410498373788534226@zoho.com>

Hi Alistair

We are allowing multiple alternatives, such as:
two step authentication that has a link to press as an alternative to entering a code
two step authentication using devices that sends a tokens via bluetooth
Email resetting is an option for most places, including google if people have an alternative address
login in via something like facbook
conformance to the web authentification specification at https://www.w3.org/TR/webauthn/

For more ideas look at our issue paper at https://w3c.github.io/coga/issue-papers/privacy-security.html

All the best

Lisa Seeman

LinkedIn, Twitter

---- On Thu, 15 Jun 2017 19:43:30 +0300 Alastair Campbell&lt;acampbell@nomensa.com&gt; wrote ----

Hi Lisa,

Something I haven’t been able to work out, and will be needed by the web auth folks, is: What are the possible solutions?

Lets take an email provider as an example (e.g. Yahoo, Google).

If they cannot use (or rely) on passwords or copying numbers, what could they use for two factor authentication? I.e. both factors.

There needs to be two things, and we can’t rely on:
- Passwords (recall)
- Copying from a two-factor token app like Google Authenticator [1]
- SMS, as standards bodies are saying they are to easy to get around so not considered secure [2].
- Email resetting, because they are an email provider.
- Biometrics that a user doesn’t have, possibly due to disability, but more likely because there is no standard technology that people have.

I’m really struggling to see how a website can provide a secure login, at least in the next year or so until the protocols actually gain some traction (they don’t have to be W3C, but they do have to be reasonably available).

At the other end of the scale, what does a smaller website do? Password and have an easy email reset? Is there anything else?

Cheers,

-Alastair

1] https://en.wikipedia.org/wiki/Google_Authenticator
2] https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

From: "lisa.seeman" &lt;lisa.seeman@zoho.com&gt;

Next steps for accessible authentication

1. We need to set up a review with the web authentication folks and check they are comfortable we are ncreating security problems. Who should set that up? (Options: John, Me, Andrew or Josh as wcag chairs or Janina as APA...)

2. All the comments need to be addressed in github . see: https://github.com/w3c/wcag21/issues/23

also we need to check the survey: https://www.w3.org/2002/09/wbs/35422/COGA_Auth/results(although we can disagree with them and try and convince them)

3. We need an exception for when this is not possible with current legislative requirments

4. Possible exception for coping up to four characters ? DO we see a user problem with this?

All the best

Lisa Seeman

LinkedIn, Twitter

Received on Monday, 19 June 2017 17:30:26 UTC