RE: Accessible authentication and we need a fundamental change

From: John Foliot []
Sent: Wednesday, February 1, 2017 12:28 PM

With regard to accessible authentication, there is emergent work within the W3C on that topic today (Verifiable Claims and Web payments in general), although, similar to our Working Group, the Verifiable Claims folks encountered some push-back while attempting to get their work into a Working Group (and out of a Community Group).
[Jason] In addition, the Research Questions Task Force of the APA Working Group is investigating requirements and prior research related to accessible authentication. Whatever insights and conclusions emerge can certainly be shared with this working group.
All widely deployed user agents today support password management features that can automatically enter user names and passwords into text and password fields. For this to be secure, of course, the user agent needs to authenticate the identity of the user. This might take place at the operating system level or might involve an authentication step provided by the UA.
If the UA provides an appropriate means of authentication (one that is accessible to the specific user), then traditional user name and password authentication mechanisms can be handled by the password manager. The only problem that remains is that of initially entering a user name and password, which could still raise accessibility concerns. (Indeed, it often already does so if a CAPTCHA is used.)
Thus, I think a backward-compatible solution which shifts the accessibility problem to the user agent is achievable. Of course, the proposals to introduce APIs for creating and using authentication information offer a much better solution, where, again, the UA rather than the content author provides the user interface.


This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

Thank you for your compliance.


Received on Wednesday, 1 February 2017 17:53:59 UTC