RE: Mikes request that we identify an upper limit on the number of digits from White, Jason J on 2017-11-28 (w3c-wai-gl@w3.org from October to December 2017)

From: White, Jason J <jjwhite@ets.org>
Date: Tue, 28 Nov 2017 21:43:46 +0000
To: Marc Johlic <marc.johlic@gmail.com>, lisa.seeman <lisa.seeman@zoho.com>
CC: Michael Gower <michael.gower@ca.ibm.com>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
Message-ID: <DM5PR07MB2971D6C78C6F6BBF84B92728AB3A0@DM5PR07MB2971.namprd07.prod.outlook.com>



From: Marc Johlic [mailto:marc.johlic@gmail.com]
Sent: Tuesday, November 28, 2017 3:55 PM

Given that, we are asking if there is any demonstrable evidence / research that can be pointed to that shows "whether any amount of transcription is considered an impediment to users with cognitive disabilities such that it warrants exclusion of transcription as an accepted technique."

If so, it is that evidence / research that should be driving this SC and guidance.

The public, industry, and enterprise will ask for this same information when they are told that this form of 2FA is no longer allowed by WCAG.
[Jason] The foregoing statement well articulates my concern as well: it is not enough that this working group be persuaded – and a consensus has not been reached, as this discussion shows – but also that the empirical basis of the success criteria be sound, and sufficiently justified to address likely objections from those who are considering whether to adopt WCAG 2.1.
In regard to copying of security codes in multi-factor authentication, there are different approaches that can be taken, each with different security implications. For example, we could set a minimum limit on the amount of time available to the user to copy the one-time password (assuming a time-based one-time password is used, as appears to be the most common scenario at present). We could limit reliance on recall in authentication schemes, but not on transcribing (i.e., omit the “or transcribing information” clause). We could move the entire proposal to Level AAA.
Without good empirical background, I don’t know how to choose among those options to decide which achieve the right balance of inclusiveness for as many people as we reasonably can, and security – which is a problem for everyone, including those who may be especially vulnerable to exploitation of their personal information.


________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________

Received on Tuesday, 28 November 2017 21:44:14 UTC