- From: John Foliot <john.foliot@deque.com>
- Date: Tue, 28 Nov 2017 15:41:33 -0600
- To: Marc Johlic <marc.johlic@gmail.com>
- Cc: "lisa.seeman" <lisa.seeman@zoho.com>, Michael Gower <michael.gower@ca.ibm.com>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
- Message-ID: <CAKdCpxwqqt8GTD=a3rg6t2cXobsC_kE4-zUWXhA-sPKLHO4YNQ@mail.gmail.com>
Hypothesis... https://en.wikipedia.org/wiki/The_Magical_Number_Seven,_Plus_or_Minus_Two I've known about, and referenced this theory, also known as Miller's Law, for close to 2 decades now. While some continue to question the basic theorem, it has taken root as an accepted metric and may be relevant here. If 7 (+/- 2) is the average or 'norm' for the amount of short-term memory items a person can accurately retain, is it unreasonable to consider the low end of the scale for people with short-term memory issues would be 7-2 - aka 5? Part of the problem, as famously stated by Jamie Knight, is that no two people with cognitive issues are alike, and given the nature of their disability, it is very hard to make scalable solutions or decisions based solely on empirical data because the data itself doesn't scale. That said, I agree with IBM's position that we need to have some hard data facts that support our choice of "cut-off" number. I wonder aloud... based upon my observations that most 2FA solutions involve a 6-digit number being sent to the cell phone (or whatever), and additionally, those 'secret codes' seem limited to either all numbers, or numbers and letters (i.e. I've personally never seen the requirement for case-sensitivity or special characters in those secondary codes), as a proposal to the larger group, and specifically to IBM's concerns, I'd like to offer the following suggestion: given that industry norms appear to be currently 6 digits and no casing or special characters, would that be acceptable as the baseline minimum? That rather than a cut-off of 5, we choose a cut-off of 6 plus the restrictions around casing and special chars? Thoughts? Mike/Marc? JF On Tue, Nov 28, 2017 at 2:54 PM, Marc Johlic <marc.johlic@gmail.com> wrote: > This seems to be going in circles and I'm not sure why. > > To be clear - and restate again - IBM is *not* trying to set an upper > limit for any 2FA processes that rely on copying or transcribing. In fact, IBM > comment #442 <https://github.com/w3c/wcag21/issues/442>, the assumed > driver behind this discussion, does the exact opposite. We noticed that > material referenced for this SC "showed that *all test subjects were able > to complete 5-digit transcription* -- and *five digits was not > established as a ceiling*." > > Given that, we are asking *if* there is any demonstrable evidence / > research that can be pointed to that shows "whether *any* amount of > transcription is considered an impediment to users with cognitive > disabilities such that it warrants exclusion of transcription as an > accepted technique." > > If so, it is that evidence / research that should be driving this SC and > guidance. > > The public, industry, and enterprise will ask for this same information > when they are told that this form of 2FA is no longer allowed by WCAG. > > > Regards, > Marc Johlic > > > > > > > > On Tue, Nov 28, 2017 at 3:25 PM, lisa.seeman <lisa.seeman@zoho.com> wrote: > >> I also just want to add that I don't have sources for setting any exact >> upper limit- 5 . And I would never want to set any uper limit. We do know >> that the number of items a person can hold onto at the same time (working >> memory)becomes progressively impaired with dementia until it hits one or >> two, I can try and find sources for that if you want. This is part of >> required skill for copying. I can also give some sources in sequence, and >> we have also experience were we see people in the task force struggling at >> about the five item mark, and people with dementia etc having trouble >> earlier. We know some sub groups of dyslexia do not have a functioning >> visual memory (also needed for coping) and can give you sources for that as >> well. Tiredness and stress are known to make many of these things worse. >> >> >> All the best >> >> Lisa Seeman >> >> LinkedIn <http://il.linkedin.com/in/lisaseeman/>, Twitter >> <https://twitter.com/SeemanLisa> >> >> >> >> >> ---- On Tue, 28 Nov 2017 22:07:24 +0200 lisa.seeman<lisa.seeman@zoho.com> >> wrote ---- >> >> Hi Michael, I have already gone to bed but the reach module is fully >> sourced. >> >> All the best >> >> Lisa Seeman >> >> LinkedIn <http://il.linkedin.com/in/lisaseeman/>, Twitter >> <https://twitter.com/SeemanLisa> >> >> >> >> >> ---- On Tue, 28 Nov 2017 21:10:56 +0200 Michael Gower< >> michael.gower@ca.ibm.com> wrote ---- >> >> You just pointed me to a single summary phrase under Challenges: "Copying >> information correctly." With no other qualifiers, no citations, etc., it is >> not information we can build an SC upon. >> >> It is also doesn't support in a meaningful way your assertion that "five >> digits is too high for accessibility." >> >> Regarding the Dyscalculia information you referred me to, it states: >> > mistakes commonly made when manipulating numbers; ... Difficulty with >> numbers, specifically in cases of addition, subtraction, omission, >> reversal, and transposition. >> That doesn't address copying, it covers mathematical manipulation. >> >> You are still not addressing/answering my basic question. Do you have ANY >> data to support and quantify your statement that copying is a problem, and >> if so, what does the research show? Where are the drop offs, what has been >> found to improve a user's ability? Where is "5 digits" coming from? >> >> Michael Gower >> IBM Accessibility >> Research >> >> 1803 Douglas Street, Victoria, BC >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g> >> >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3+%3Chttps://maps.google.com/?q%3D1803%2BDouglas%2BStreet,%2BVictoria,%2BBC%2B%25C2%25A0V8T%2B5C3%26entry%3Dgmail%26source%3Dg%3E&entry=gmail&source=g>V8T >> 5C3 >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g> >> gowerm@ca.ibm.com >> voice: (250) 220-1146 * cel: (250) 661-0098 * fax: (250) 220-8034 >> >> >> >> From: "lisa.seeman" <lisa.seeman@zoho.com> >> To: Michael Gower <michael.gower@ca.ibm.com> >> Cc: "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org> >> Date: 2017-11-28 10:38 AM >> Subject: Re: Mikes request that we identify an upper limit on the >> number of digits >> ------------------------------ >> >> >> >> hi mike >> >> try a searching on "copying" you will see issues such as "copying >> information correctly." for dementia and again with dyscalcilia. >> you can also do a search on memories and memory - that will also take you >> to some relevant info. >> >> >> All the best >> >> Lisa Seeman >> >> *LinkedIn* >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__il.linkedin.com_in_lisaseeman_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=x4eZXFbiF7Aq9o27OFVlku7Xtv7O9yBImtk-FtuAlg0&e=>, >> *Twitter* >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_SeemanLisa&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=4HIw8uu-op48nELHmBjUs037It3PPLDIJrIbT5ZWFxY&e=> >> >> >> >> >> ---- On Tue, 28 Nov 2017 19:51:51 +0200 *Michael >> Gower<michael.gower@ca.ibm.com <michael.gower@ca.ibm.com>>*wrote ---- >> I did a search for the word "copy" and the fragment "transcri" (to catch >> transcribe and transcription). >> >> The only relevant references in your 2015 paper cover issues to with >> copying under time constraints. On copying alone, the paper says: >> "Then the user must enter the numbers on the computer screen into the >> card reader. This shouldn't be too difficult because it requires only >> copying the numbers. " >> >> The only reference in your second citation is: >> "may have to look at or listen to text several times to copy or type it >> into a form field; " >> >> Am I missing something? >> >> Michael Gower >> IBM Accessibility >> Research >> >> 1803 Douglas Street, Victoria, BC >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g> >> >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3+%3Chttps://maps.google.com/?q%3D1803%2BDouglas%2BStreet,%2BVictoria,%2BBC%2B%25C2%25A0V8T%2B5C3%26entry%3Dgmail%26source%3Dg%3E&entry=gmail&source=g>V8T >> 5C3 >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g> >> <gowerm@ca.ibm.com>*gowerm@ca.ibm.com <gowerm@ca.ibm.com>* >> voice: (250) 220-1146 * cel: (250) 661-0098 * fax: (250) 220-8034 >> >> >> >> From: "lisa.seeman" < <lisa.seeman@zoho.com>*lisa.seeman@zoho.com >> <lisa.seeman@zoho.com>*> >> To: Michael Gower < <michael.gower@ca.ibm.com>*michael.gower@ca.ibm.com >> <michael.gower@ca.ibm.com>*> >> Cc: "W3c-Wai-Gl-Request@W3. Org" < <w3c-wai-gl@w3.org>*w3c-wai-gl@w3.org >> <w3c-wai-gl@w3.org>*> >> Date: 2017-11-28 08:53 AM >> Subject: Re: Mikes request that we identify an upper limit on the >> number of digits >> ------------------------------ >> >> >> >> Hi Mike >> >> >> The issue with coping discussed in >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_TR_coga-2Duser-2Dresearch_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=EjK2lUaebiDwRbAwNjAEa1WDO_TCisyVr1qp1sE8GQQ&e=> >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_TR_coga-2Duser-2Dresearch_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=K2VPA3kU9zrx8QMY1GWQIoZdLxBV66sBcmuj2f2bfwo&e=>*https://www.w3.org/TR/coga-user-research/ >> <https://www.w3.org/TR/coga-user-research/>*in different user groups. We >> have also discussed it in the issue paper on >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__w3c.github.io_coga_issue-2Dpapers_privacy-2Dsecurity.html&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=rDT0mc7QGsWjjGhfEaGvv-sc-eiG6nEpTkyVMxAcYGY&e=> >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__w3c.github.io_coga_issue-2Dpapers_privacy-2Dsecurity.html&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=o0daxkHGHraHNw9i2iAgh1-u02Hps_TQhDkH1KZHuuQ&m=1MFE4LD5jxFBjtujYCtiM7b2ybb2XCMP0RB8ULFC0Fc&s=iJ7zIOJXcgXhpvL2FR6KG6W9w_QT2HFehbwMZqUu9K8&e=>*https://w3c.github.io/coga/issue-papers/privacy-security.html >> <https://w3c.github.io/coga/issue-papers/privacy-security.html>*. In >> addition to this we have the comments from members in the task force who >> often struggle with copying. My experience of disabilities such as dementia >> is that trouble will start at 2 or 3 digits, and hence any useful number >> will bar people who can still use sites like youtube or netflixs. So >> researching this proposal doesn't really appeal to me unless there is a >> strong consensus to go here. >> >> If having a limit is needed to get this at this SC though, they it is a >> compromise position that we may have to do but will exclude some people >> from using the site at all. We may have to do that, but I would much rather >> not. >> >> >> All the best >> >> Lisa Seeman >> >> *LinkedIn* >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__il.linkedin.com_in_lisaseeman_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=-qEKRlC6-gkxvcO5NOvwiUcwiXlHgk6dJINx7m792qY&e=>, >> *Twitter* >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_SeemanLisa&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=EnIfgOS3bTaonqic774vtYIRCA7Wrcff4o2kIQuG1xA&e=> >> >> >> >> >> ---- On Tue, 28 Nov 2017 16:52:59 +0200 *Michael Gower<* >> <michael.gower@ca.ibm.com>*michael.gower@ca.ibm.com >> <michael.gower@ca.ibm.com>**>*wrote ---- >> > For example a code with five digits is both too high for >> accessibility >> >> One of the issues IBM opened against this SC is that to date you have >> supplied no data to support this statement, or to support the notion that >> transcription represents an impediment significant enough that an SC is >> warranted to entirely prevent its use to satisfy authentication. As >> mentioned in *Issue #442* >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_wcag21_issues_442&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=9Yx5lFM1y90ayH_2yAdMuriGPuENf-lgk9LdqfyIo2c&e=> >> the only study cited so far was a study that showed that every participant >> was able to transfer 5 digits. So why keep repeating that 5 is too high? >> >> I identified the concern to you last November and the concern about >> prohibiting copying was *flagged and discussed back in April* >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_wcag21_issues_23-23issuecomment-2D295271211&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=z6Rth377s3xl2ll_H74_EzcBz7r8OykGxUBoH-5mTc0&s=G5NxQp9RT6vzAOB2Y5zyL-9BbS-IB7rpAYYs1uewMpI&e=>. >> Issue 442 has been open since October 8 with no response. This concern is >> not coming out of the blue, nor am I the only person to voice it. >> >> Other considerations include identifying thresholds and relying on >> assistive technologies to augment experience to satisfy individual users >> needs. As an example, look at the thresholds for Contrast (Minimum). The SC >> demands a certain level of contrast for content. That is not going to >> satisfy the needs of all users, but based on a bunch of analysis and data, >> a threshold was established, with the assumption that a user who requires >> more contrast is going to call on an AT to augment. >> >> My expectation would be that based on data, we would be looking at >> something similar for guidance on allowable transcription. If we don't have >> that data, then we are basing this SC on anecdotal evidence -- and as >> others have identified, it's an SC with far-reaching ramifications. >> >> The new Animation from Interaction SC, designed to address vestibular >> disorders, had its timing parameters removed and its designation as a >> double AA moved to a triple A category because there was insufficient data >> to establish enforceable thresholds. >> >> Michael Gower >> IBM Accessibility >> Research >> >> 1803 Douglas Street, Victoria, BC >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g> >> >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3+%3Chttps://maps.google.com/?q%3D1803%2BDouglas%2BStreet,%2BVictoria,%2BBC%2B%25C2%25A0V8T%2B5C3%26entry%3Dgmail%26source%3Dg%3E&entry=gmail&source=g>V8T >> 5C3 >> <https://maps.google.com/?q=1803+Douglas+Street,+Victoria,+BC+%C2%A0V8T+5C3&entry=gmail&source=g> >> <gowerm@ca.ibm.com> <gowerm@ca.ibm.com>*gowerm@ca.ibm.com >> <gowerm@ca.ibm.com>* >> voice: (250) 220-1146 * cel: (250) 661-0098 * fax: (250) 220-8034 >> >> >> >> From: "lisa.seeman" < <lisa.seeman@zoho.com> >> <lisa.seeman@zoho.com>*lisa.seeman@zoho.com <lisa.seeman@zoho.com>*> >> To: "W3c-Wai-Gl-Request@W3. Org" < <w3c-wai-gl@w3.org> >> <w3c-wai-gl@w3.org>*w3c-wai-gl@w3.org <w3c-wai-gl@w3.org>*> >> Date: 2017-11-28 12:45 AM >> Subject: Mikes request that we identify an upper limit on the >> number of digits >> ------------------------------ >> >> >> >> Hi Folks >> >> Mike had requested empirical evidence for what is the maximum number of >> digits that can be reliable copied form a device for multi factor >> authentication. >> >> I am looking into it, but I actually think we should not enforce a limit >> in the number of digits. Enforcing a limit on the number of digits in a >> security code will definitely jeopardize security. For example a code with >> five digits is both too high for accessibility and lower then most secure >> applications would require. It is much better to give the user an option >> of sending the code to the computer via Bluetooth/ token or even QR code. >> >> Please let me know if we want to go this rout. If not it is a lot of >> research for nothing. >> >> in the mean time Neil found some more research on sequencing problems >> that is useful in case we decide we would want to go in Mike's direction. >> >> All the best >> >> Lisa Seeman >> >> *LinkedIn* >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__il.linkedin.com_in_lisaseeman_&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=tcZJERjAATEfWh8o3Quzj5utQjhTc616ftI-pq0PQ14&s=RGFbNF5-vOg9zvILYyAN-w4_ahdJUxUMlyGb42Entjs&e=>, >> *Twitter* >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_SeemanLisa&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=_9rqR3xSCWQUlv9VpOcJwkP7H0XWQXmxeMmqQl6Fikc&m=tcZJERjAATEfWh8o3Quzj5utQjhTc616ftI-pq0PQ14&s=kX63euaZtgBEAbnCKIQIWsjf886TzFbHmO_HcVfF6RI&e=> >> >> >> >> >> >> >> >> >> >> >> >> >> > -- John Foliot Principal Accessibility Strategist Deque Systems Inc. john.foliot@deque.com Advancing the mission of digital accessibility and inclusion
Received on Tuesday, 28 November 2017 21:42:01 UTC