Re: Mikes request that we identify an upper limit on the number of digits

This seems to be going in circles and I'm not sure why.

To be clear - and restate again - IBM is *not* trying to set an upper limit
for any 2FA processes that rely on copying or transcribing.  In fact, IBM
comment #442 <https://github.com/w3c/wcag21/issues/442>, the assumed driver
behind this discussion, does the exact opposite.  We noticed that material
referenced for this SC "showed that *all test subjects were able to
complete 5-digit transcription* -- and *five digits was not established as
a ceiling*."

Given that, we are asking *if* there is any demonstrable evidence /
research that can be pointed to that shows "whether *any* amount of
transcription is considered an impediment to users with cognitive
disabilities such that it warrants exclusion of transcription as an
accepted technique."

If so, it is that evidence / research that should be driving this SC and
guidance.

The public, industry, and enterprise will ask for this same information
when they are told that this form of 2FA is no longer allowed by WCAG.


Regards,
Marc Johlic







On Tue, Nov 28, 2017 at 3:25 PM, lisa.seeman <lisa.seeman@zoho.com> wrote:

> I also just want to add that I don't have sources for setting any exact
> upper limit- 5 . And  I would never want to set any uper limit. We do know
> that the number of items a person can hold onto at the same time (working
> memory)becomes progressively impaired with dementia until it hits one or
> two, I can try and find sources for that if you want. This is part of
> required skill for copying. I can also give some sources in sequence, and
> we have also experience were we see people in the task force  struggling at
> about the five item mark, and people with dementia etc having trouble
> earlier. We know some sub groups of dyslexia do not have a functioning
> visual memory (also needed for coping) and can give you sources for that as
> well. Tiredness and stress are known to make many of these things worse.
>
>
> All the best
>
> Lisa Seeman
>
> LinkedIn <http://il.linkedin.com/in/lisaseeman/>, Twitter
> <https://twitter.com/SeemanLisa>
>
>
>
>
> ---- On Tue, 28 Nov 2017 22:07:24 +0200 lisa.seeman<lisa.seeman@zoho.com>
> wrote ----
>
> Hi Michael, I have already gone to bed but the reach module is fully
> sourced.
>
> All the best
>
> Lisa Seeman
>
> LinkedIn <http://il.linkedin.com/in/lisaseeman/>, Twitter
> <https://twitter.com/SeemanLisa>
>
>
>
>
> ---- On Tue, 28 Nov 2017 21:10:56 +0200 Michael Gower<
> michael.gower@ca.ibm.com> wrote ----
>
> You just pointed me to a single summary phrase under Challenges: "Copying
> information correctly." With no other qualifiers, no citations, etc., it is
> not information we can build an SC upon.
>
> It is also doesn't support in a meaningful way your assertion that "five
> digits is too high for accessibility."
>
> Regarding the Dyscalculia information you referred me to, it states:
> > mistakes commonly made when manipulating numbers; ... Difficulty with
> numbers, specifically in cases of addition, subtraction, omission,
> reversal, and transposition.
> That doesn't address copying, it covers mathematical manipulation.
>
> You are still not addressing/answering my basic question. Do you have ANY
> data to support and quantify your statement that copying is a problem, and
> if so, what does the research show? Where are the drop offs, what has been
> found to improve a user's ability? Where is "5 digits" coming from?
>
> Michael Gower
> IBM Accessibility
> Research
>
> 1803 Douglas Street, Victoria, BC
> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g>
>  V8T 5C3
> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g>
> gowerm@ca.ibm.com
> voice: (250) 220-1146 * cel: (250) 661-0098 *  fax: (250) 220-8034
>
>
>
> From:        "lisa.seeman" <lisa.seeman@zoho.com>
> To:        Michael Gower <michael.gower@ca.ibm.com>
> Cc:        "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
> Date:        2017-11-28 10:38 AM
> Subject:        Re: Mikes request that we identify an upper limit on the
> number of   digits
> ------------------------------
>
>
>
> hi mike
>
> try a searching on "copying" you will see issues such as "copying
> information correctly." for dementia and again with dyscalcilia.
> you can also do a search on memories and memory - that will also take you
> to some relevant info.
>
>
> All the best
>
> Lisa Seeman
>
> *LinkedIn*
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__il.linkedin.com_in_lisaseeman_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=x4eZXFbiF7Aq9o27OFVlku7Xtv7O9yBImtk-FtuAlg0&e=>,
> *Twitter*
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_SeemanLisa&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=4HIw8uu-op48nELHmBjUs037It3PPLDIJrIbT5ZWFxY&e=>
>
>
>
>
> ---- On Tue, 28 Nov 2017 19:51:51 +0200 *Michael
> Gower<michael.gower@ca.ibm.com <michael.gower@ca.ibm.com>>*wrote ----
> I did a search for the word "copy" and the fragment "transcri" (to catch
> transcribe and transcription).
>
> The only relevant references in your 2015 paper cover issues to with
> copying under time constraints. On copying alone, the paper says:
> "Then the user must enter the numbers on the computer screen into the card
> reader. This shouldn't be too difficult because it requires only copying
> the numbers. "
>
> The only reference in your second citation is:
> "may have to look at or listen to text several times to copy or type it
> into a form field; "
>
> Am I missing something?
>
> Michael Gower
> IBM Accessibility
> Research
>
> 1803 Douglas Street, Victoria, BC
> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g>
>  V8T 5C3
> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g>
> <gowerm@ca.ibm.com>*gowerm@ca.ibm.com <gowerm@ca.ibm.com>*
> voice: (250) 220-1146 * cel: (250) 661-0098 *  fax: (250) 220-8034
>
>
>
> From:        "lisa.seeman" < <lisa.seeman@zoho.com>*lisa.seeman@zoho.com
> <lisa.seeman@zoho.com>*>
> To:        Michael Gower < <michael.gower@ca.ibm.com>*michael.gower@ca.ibm.com
> <michael.gower@ca.ibm.com>*>
> Cc:        "W3c-Wai-Gl-Request@W3. Org" < <w3c-wai-gl@w3.org>*w3c-wai-gl@w3.org
> <w3c-wai-gl@w3.org>*>
> Date:        2017-11-28 08:53 AM
> Subject:        Re: Mikes request that we identify an upper limit on the
> number of   digits
> ------------------------------
>
>
>
> Hi Mike
>
>
> The issue with coping discussed in
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_TR_coga-2Duser-2Dresearch_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=EjK2lUaebiDwRbAwNjAEa1WDO_TCisyVr1qp1sE8GQQ&e=>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_TR_coga-2Duser-2Dresearch_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=K2VPA3kU9zrx8QMY1GWQIoZdLxBV66sBcmuj2f2bfwo&e=>*https://www.w3.org/TR/coga-user-research/
> <https://www.w3.org/TR/coga-user-research/>*in different user groups.  We
> have also discussed it in  the issue paper on
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__w3c.github.io_coga_issue-2Dpapers_privacy-2Dsecurity.html&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=rDT0mc7QGsWjjGhfEaGvv-sc-eiG6nEpTkyVMxAcYGY&e=>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__w3c.github.io_coga_issue-2Dpapers_privacy-2Dsecurity.html&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=iJ7zIOJXcgXhpvL2FR6KG6W9w_QT2HFehbwMZqUu9K8&e=>*https://w3c.github.io/coga/issue-papers/privacy-security.html
> <https://w3c.github.io/coga/issue-papers/privacy-security.html>*. In
> addition to this we have the comments from members in the task force who
> often struggle with copying. My experience of disabilities such as dementia
> is that trouble will start at 2 or 3 digits, and hence any useful number
> will bar people  who can still use sites like youtube or netflixs. So
> researching this proposal doesn't really appeal to me unless there is a
> strong consensus to go here.
>
> If having a limit is needed to get this at this SC though, they it is a
> compromise position that we may have to do but  will exclude some people
> from using the site at all. We may have to do that, but I would much rather
> not.
>
>
> All the best
>
> Lisa Seeman
>
> *LinkedIn*
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__il.linkedin.com_in_lisaseeman_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=-qEKRlC6-gkxvcO5NOvwiUcwiXlHgk6dJINx7m792qY&e=>,
> *Twitter*
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_SeemanLisa&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=EnIfgOS3bTaonqic774vtYIRCA7Wrcff4o2kIQuG1xA&e=>
>
>
>
>
> ---- On Tue, 28 Nov 2017 16:52:59 +0200 *Michael Gower<*
> <michael.gower@ca.ibm.com>*michael.gower@ca.ibm.com
> <michael.gower@ca.ibm.com>**>*wrote ----
> > For example a code with five digits is both too high  for accessibility
>
> One of the issues IBM opened against this SC is that to date you have
> supplied no data to support this statement, or to support the notion that
> transcription represents an impediment significant enough that an SC is
> warranted to entirely prevent its use to satisfy authentication. As
> mentioned in *Issue #442*
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_wcag21_issues_442&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=9Yx5lFM1y90ayH_2yAdMuriGPuENf-lgk9LdqfyIo2c&e=>
> the only study cited so far was a study that showed that every participant
> was able to transfer 5 digits. So why keep repeating that 5 is too high?
>
> I identified the concern to you last November and the concern about
> prohibiting copying was *flagged and discussed back in April*
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_wcag21_issues_23-23issuecomment-2D295271211&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=G5NxQp9RT6vzAOB2Y5zyL-9BbS-IB7rpAYYs1uewMpI&e=>.
> Issue 442 has been open since October 8 with no response. This concern is
> not coming out of the blue, nor am I the only person to voice it.
>
> Other considerations include identifying thresholds and relying on
> assistive technologies to augment experience to satisfy individual users
> needs. As an example, look at the thresholds for Contrast (Minimum). The SC
> demands a certain level of contrast for content. That is not going to
> satisfy the needs of all users, but based on a bunch of analysis and data,
> a threshold was established, with the assumption that a user who requires
> more contrast is going to call on an AT to augment.
>
> My expectation would be that based on data, we would be looking at
> something similar for guidance on allowable transcription. If we don't have
> that data, then we are basing this SC on anecdotal evidence -- and as
> others have identified, it's an SC with far-reaching ramifications.
>
> The new Animation from Interaction SC, designed to address vestibular
> disorders, had its timing parameters removed and its designation as a
> double AA moved to a triple A category because there was insufficient data
> to establish enforceable thresholds.
>
> Michael Gower
> IBM Accessibility
> Research
>
> 1803 Douglas Street, Victoria, BC
> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g>
>  V8T 5C3
> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g>
> <gowerm@ca.ibm.com> <gowerm@ca.ibm.com>*gowerm@ca.ibm.com
> <gowerm@ca.ibm.com>*
> voice: (250) 220-1146 * cel: (250) 661-0098 *  fax: (250) 220-8034
>
>
>
> From:        "lisa.seeman" < <lisa.seeman@zoho.com> <lisa.seeman@zoho.com>*lisa.seeman@zoho.com
> <lisa.seeman@zoho.com>*>
> To:        "W3c-Wai-Gl-Request@W3. Org" < <w3c-wai-gl@w3.org>
> <w3c-wai-gl@w3.org>*w3c-wai-gl@w3.org <w3c-wai-gl@w3.org>*>
> Date:        2017-11-28 12:45 AM
> Subject:        Mikes request that we identify an upper limit on the
> number of  digits
> ------------------------------
>
>
>
> Hi Folks
>
> Mike had requested empirical evidence for what is the maximum number of
> digits that can be reliable copied form a device for multi factor
> authentication.
>
> I am looking into it, but I actually think we should not enforce a  limit
> in the number of digits. Enforcing a limit on the number of digits in a
> security code will definitely jeopardize security. For example a code with
> five digits is both too high  for accessibility and lower then most secure
> applications would require.  It is much better to give the user an option
> of sending the code to the computer via Bluetooth/ token or even QR code.
>
> Please let me know if we want to go this rout. If not it is a lot of
> research for nothing.
>
> in the mean time Neil found some more research on sequencing problems that
> is useful in case we decide we would want to go in Mike's direction.
>
> All the best
>
> Lisa Seeman
>
> *LinkedIn*
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__il.linkedin.com_in_lisaseeman_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=tcZJERjAATEfWh8o3Quzj5utQjhTc616ftI-pq0PQ14&s=RGFbNF5-vOg9zvILYyAN-w4_ahdJUxUMlyGb42Entjs&e=>,
> *Twitter*
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_SeemanLisa&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=tcZJERjAATEfWh8o3Quzj5utQjhTc616ftI-pq0PQ14&s=kX63euaZtgBEAbnCKIQIWsjf886TzFbHmO_HcVfF6RI&e=>
>
>
>
>
>
>
>
>
>
>
>
>
>

Received on Tuesday, 28 November 2017 20:55:24 UTC