RE: Next steps for accessible authentication

From: John Foliot []
Sent: Monday, June 19, 2017 3:40 PM

When I read what you just wrote, it appears to indicate that you believe there is a trade-off possible here between accessibility and security - that there is a balance question here that needs to be addressed at scale.

There isn't such a balance, and I strongly suspect that at some level there never will be, certainly not for high-security ​situations such as banking and medical services (to name two critical / high-security situations). The closer we get to "ease of implementation", the easier it becomes to spoof or automate (hack) the required authentication task, which then weakens the security, not only for the individual user, but perhaps of an entire system - which no high-security application will accept at any cost.
[Jason] I think John’s point is in line with what I wrote on the survey: the security implications not only affect the users individually (including people who may be especially vulnerable to the effects of security compromises), but also the integrity of larger systems – the Web server, its network, and other networks.
It’s clear that the alternatives which Lisa mentioned are concentrated mostly toward the lower security end of the scale, leaving very little available at the high security end until there is a widely available Web Authentication specification in place, and hardware available to users which is both accessible and supportive of the standard.
Now that may not be a problem, depending on the projected time-line of WCAG 2.1 implementation. In practical terms, we would need the solutions to be available in order to demonstrate interoperable WCAG 2.1 implementations at the Candidate Recommendation stage.
I also think Gregg Vanderheiden is raising the right questions about the cognitive benefits of the proposal.


This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

Thank you for your compliance.


Received on Monday, 19 June 2017 19:48:23 UTC