- From: lisa.seeman <lisa.seeman@zoho.com>
- Date: Wed, 29 Nov 2017 08:16:19 +0200
- To: "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
- Message-Id: <16006696738.fad63f5c141807.3924051097042045612@zoho.com>
Hi Please find attached the security audit on 2.2.6 All the best... Lisa Subject : Feedback on Success Criterion 2.2.6 Accessible Authentication ============ Forwarded message ============ Hi Lisa, I had four people review the SC at the following URL: https://www.w3.org/TR/WCAG21/#accessible-authentication Reviewers hold positions in compliance, risk, information security and legal. Two reviewers hold the CRISC certification, one reviewer holds the CISSP certification as well as a a legal degree. Feedback on wording: Current Essential steps of an authentication process, which rely upon recalling or transcribing information, have one of the following: Suggested (remove commas) Essential steps of an authentication process which rely upon recalling or transcribing information have one of the following: Reasoning The first comma changes the meaning and context of the section after the comma making it a descriptor of an authentication process. The second comma is then not needed. Current The authentication process involves basic identifying information to which the user has easy access, such as name, address, email address and identification or social security number; Suggested (remove reference to social security number) The authentication process involves basic identifying information to which the user has easy access, such as name, address, email address or identification number Reasoning It may be unlawful to use Social Security number for purposes other than tax/income in some case: http://consumersunion.org/news/state-laws-restricting-private-use-of-social-security-numbers/ Impact on security All reviewers concluded that, if the suggestion presented above were implemented, this language would not have a negative impact on security. Authentication is typically defined with three common factors: Something you know - The SC recommends against this. This is actually the least secure method of authentication. The SC is recommending against a weak method of authentication which could have a positive impact on security. Something you have (a hard token for example) - The SC does not recommend against this and may support it. Something you are (biometrics for example) - The SC does not recommend against this and may support it. We also discussed current implementations that appear to support this SC, for example, FareClock LinkedIn - One-time sign-in link Slack - Magic Link Let me know if you need any addition information. Best, Thaddeus
Received on Wednesday, 29 November 2017 06:16:56 UTC