draft response for comments accessible authentifiaction

Hi Folks,
I took an action item yesterday to draft a response on the comments. 
Note one of the comments want it stricter, but I am ignoring that for now. There was also a request to remove "accessible" from the label name. 

Here is my proposed draft for the other comments.

Thank you for your feedback
We are committed to providing techniques  as to how to conform to this success criteria  including techniques which are offer the appropriate  level of security for medical and financial data.  They will be supplied before the specification becomes finalized. Current techniques drafts include  multi step authentication with Bluetooth such as https://saaspass.com/about/bluetooth-ble-two-factor-authentication.html, and  conforming to Web Authentication: An API for accessing Public Key Credentialwith biometics, tokens or token CRM being allowed options. 

We will also provide a few example sites such as:
The EU site for research funding (ECAS) which allows multiple log in methods, all of which have high level of security and one of which does not require copying or memory.
The w3c site which allows you to set a new password each time you use it.

Also note that there is an exception if this is not achievable due to legal requirements. 

We will also have an understanding section. (For now you can take a look at out draft at https://docs.google.com/document/d/13hmoaVU563kTio1EZD5mbNxcc0k924qVdZZwWckcbu0/edit#)

The reason this SC is a single A level is because it addresses a  block to the content which completely prevents the user from independently using the web site. This issues are discussed in our issue paper on security and more of the underlining research is available in our research module.

All the best

Lisa Seeman

LinkedIn, Twitter

 there are lots of ways to do this securely. such as a securty app with rc code (used by the EU commission) two step authentication with Bluetooth such as https://saaspass.com/about/bluetooth-ble-two-factor-authentication.html,
conforming to Web Authentication: An API for accessing Public Key Credentials, with biometics or a token or token CRM being allowed options. 

* There is a lack of maturity of methods available, and lack of implementation support
LS: there are thousands of conforming sites. examples of conforming sites That I use only yesterday include:  the w3c and the EU site for research funding which allows multiple log in methods, all of which have high level of security (and a dating site that I would rather not disclose ...). ANyway...Please let me know how many sites examples you need to put your mind at rest on this and we will find them for you.

* It is a requirement for security departments and they don't tend to have a lot of flexibility when it comes to accommodations that interfere with security.
ANy level of security can be reached. including use of tokens and dongles , smartcards etc. 

* There is not a lot of evidence of threshold levels of characters to copy, which would be acceptable to people with disabilities.
LS: we had no intention of setting a threshold levels. this is Mikes Gowers proposal, but yes, we do not have a number we are happy with for his proposal. however our working assumption is this will always exclude people so why go in this direction? My experience of disabilities such as dementia is that trouble will start at 2 or 3 digits, for people who can still use sites like youtube or netflixs so researching this proposal doesnt really appeal to me unless there is a strong consensus to go here. 

* Practically speaking, if a user cannot copy a 5 digit code, would they be able to use a mainstream website, such as a news site etc...
LS: Well I often mess up 5 digit codes and I can use sites . Other task force members report similar effect

LS: the issue with copping discussed in https://www.w3.org/TR/coga-user-research/in different user groups.  We will also give the issue paper on https://w3c.github.io/coga/issue-papers/privacy-security.html 

David MacDonald
CanAdapt Solutions Inc..
Tel:  613.235.4902

  Adapting the web to all users
            Including those with disabilities

If you are not the intended recipient, please review our privacy policy

On Tue, Nov 28, 2017 at 5:02 AM, Alastair Campbell <acampbell@nomensa.com> wrote:
   Hi Lisa,
 In this case I think showing the feasibility is more important. Mike might disagree, but it would certainly make the requirements easier to sell if there were one or two simple solutions.
 I think there are 3 main scenarios that cover a good range of situations for web content. It has been difficult to work out what should/would work as those questions generate a lot of possibilities, and then we go in circles about what works or doesn’t. I know the SC is asking for ‘alternatives’ to the standard, but there still have to be ways to implement these alternatives, and that is not clear yet.
 If we can show a reasonable method of implementation for these 3, it will go a long way to putting people at ease. 
 Here’s what I’ve worked out so far, the main questions start with an asterisk (*):
  A site that currently does a simple username/password.
 My understanding is that an email-reset works for this scenario. Ideally it would auto-log you in from the link in the email, but at a minimum you set a new password (even if you never intend to save it) and can login. 
 * Is the intent that the email reset logs you in automatically? A typical implementation would have you copy the new password into a username/password form to login.
  A site that does username/password plus a second factor, such as an app that generates a 6 digit number every 30 seconds (like  Google Auth).
 I assume that transferring 6 digits across from a phone app to your computer with a time-limit is a big problem, but is there a feasible alternative? (You can put SMS methods in this category as well, although  they are considered less secure.)
 For hardware / biometrics, the only standards based way to enable that on a website (that I know of) is the  Web Authentication JavaScript API to a “Universal Second Factor” (based on  FIDO I think). We shouldn’t worry about the hardware side as there are many possibilities, but we do need to worry about whether they work with browsers.
 The current browser support is Chrome-only, and that is desktop-only as the U2F devices generally use USB.
 * Is there another way that I’m missing? Otherwise I can’t see how we could get 2 implementations (which is probably why WebAuth is still in draft).
 Also, how do you get past the username/password bit? You can set the second factor to remember your device for a set time (usually 30 days), but at some point you would still have to login with a password and with the 2nd factor, otherwise there is no security.
  A site like scenario 2 (username/password + 2FA), but provides your email so you can’t use a email-reset loop.
 E.g. if you are logging into Gmail / Outlook (web), this is another level of complexity on scenario 2.
 So it has all the issues from scenario 2, but with the added complication that you cannot rely on an email-reset loop.
 * I can’t see any solution to this one, so perhaps that would need an exception?
 I think answering the scenarios here would cover these comments on github: 354, 440, 441, 473, 503, 542, 553.
 If we can work it out, I’ll put in the responses.
 However, it appears to me that the implementations (in the browsers) are not ready yet, and it should be delayed until that changes.
 Kind regards,


Received on Tuesday, 28 November 2017 17:31:51 UTC