Feedback on Success Criterion 2.2.6 Accessible Authentication

Hi
Please find attached the security audit on  2.2.6
All the best... Lisa

Subject : Feedback on Success Criterion 2.2.6 Accessible Authentication
============ Forwarded message ============

Hi Lisa,


I had four people review the SC at the following URL:

https://www.w3.org/TR/WCAG21/#accessible-authentication


Reviewers hold positions in compliance, risk, information security and legal. Two reviewers hold the CRISC certification, one reviewer holds the CISSP certification as well as a a legal degree.


Feedback on wording:


Current

Essential steps of an authentication process, which rely upon recalling or transcribing information, have one of the following:


Suggested (remove commas)

Essential steps of an authentication process which rely upon recalling or transcribing information have one of the following:


Reasoning


The first comma changes the meaning and context of the section after the comma making it a descriptor of an authentication process. The second comma is then not needed.

Current

The authentication process involves basic identifying information to which the user has easy access, such as name, address, email address and identification or social security number;

Suggested (remove reference to social security number)

The authentication process involves basic identifying information to which the user has easy access, such as name, address, email address or identification number

Reasoning



It may be unlawful to use Social Security number for purposes other than tax/income in some case:


http://consumersunion.org/news/state-laws-restricting-private-use-of-social-security-numbers/


Impact on security


All reviewers concluded that, if the suggestion presented above were implemented, this language would not have a negative impact on security.


Authentication is typically defined with three common factors:
Something you know - The SC recommends against this. This is actually the least secure method of authentication. The SC is recommending against a weak method of authentication which could have a positive impact on security.
Something you have (a hard token for example) - The SC does not recommend against this and may support it.

Something you are (biometrics for example) - The SC does not recommend against this and may support it.

We also discussed current implementations that appear to support this SC, for example, 



FareClock
LinkedIn - One-time sign-in link
Slack - Magic Link


Let me know if you need any addition information. 



Best,
Thaddeus













 

Received on Wednesday, 29 November 2017 06:16:56 UTC