W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > October to December 2017

Re: Mikes request that we identify an upper limit on the number of digits

From: lisa.seeman <lisa.seeman@zoho.com>
Date: Tue, 28 Nov 2017 20:45:32 +0200
To: Alastair Campbell <acampbell@nomensa.com>
Cc: "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
Message-Id: <16003f0f55e.adb3e6ee109420.4702210235002684452@zoho.com>
Hi Alistair

Web authentication specification standardizes how to offer alternatives, but you can offer alternative logins without using the specification.

For example, https://ecas.ec.europa.eu/cas/login?loginRequestId allows you to choose between a using a long password , their app with a pin, their app with a QR code (conferment alternative) mobile phone with sms, mobile phone with token (conferment alternative) , token (conferment alternative)

My email provider lets you log in with alternative mechanisms as well.

All the best

Lisa Seeman

LinkedIn, Twitter

---- On Tue, 28 Nov 2017 20:00:00 +0200 Alastair Campbell&lt;acampbell@nomensa.com&gt; wrote ---- 

      Hi Lisa,
 &gt; LS: there are lots of ways to do this securely. such as…
 I covered this in the email yesterday, but there are two types of implementations we are confusing:
  Hardware / apps that supply the secure token / biometrics
Browser support that connects to those secure devices.
 WebAuth is the right standard to refer to, but the current browser support is Chrome-only, and that is desktop-only as the U2F devices generally use USB.
 Is there another way that I’m missing? Otherwise I can’t see how we could get 2 implementations (which is probably why WebAuth is still in draft).
 &gt; there are thousands of conforming sites. examples of conforming sites That I use only yesterday include:  the w3c and the EU site for research funding which allows multiple log in methods
 I’m confused about that as I was given a password for W3C which I have to type in every time. (Well, I use lastpass, but we seem to be ignoring auto-filling password tools).
 I assume those are sites which let you reset email, for which my question was: Is the intent that the email reset logs you in automatically? 
 A typical implementation would have you copy the new password into a username/password form to login, which I wouldn’t have thought conforms?
 &gt; Any level of security can be reached. including use of tokens and dongles , smartcards etc.
 But we haven’t shown that for *web content*, I don’t think “use desktop chrome” is a good answer here.
 Also, how do you get past the username/password bit? You can set the second factor to remember your device for a set time (usually 30 days), but at some point you would still have to login with a password and with the 2nd factor, otherwise there is no security
 Then the last (more complex) level, how do you conform if you are the email-provider? If you can’t provide an email-loop, and you use 2FA, I can’t see how that would work in theory, let alone practice.
 If this is getting a security review, can we make sure that is considered? Otherwise it is very hypothetical.
Received on Tuesday, 28 November 2017 18:46:10 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:18 UTC