HI Lisa,
I don’t think we’re understanding each other, where you said:
> Multi step authentication can work with a token, Bluetooth or RQ code, or you just have an alternative that you allow that conforms for people who can not use it.
Those are typical 2nd factors, but what is the first factor?
Going back to my previous email, the options (techniques) we have for the 2-factor scenario are:
-----------
2. A site that does username/password plus a second factor, such as an app that generates a 6 digit number every 30 seconds (like Google Auth).
* After having created a username/password, allow a ‘magic link’ email login, AND have a 2FA style login where you authenticate on a separate mobile app, or custom USB token generator.
(Note that slack and I think Linkedin provide 2FA with a number-generator you have to copy across.)
* ???
-----------
So the ‘magic link’ technique would be the first factor, and then WebAuth would be the only (feasible web) option for second factor, and that is currently Chrome-only.
> The concern of the task force is that scoping out two step authentication will push sites away from using passwords towards non conformant types of multi step authentication which
Ok, now I’m confused, are passwords conformant? I thought that was the primary problem!
> We require an alternative for visual capture to accommodate the blind
Yes, if someone implements a captcha they have to create an (audio) alternative, these are of the same scale of effort. We don’t ask them to setup a call-centre.
-Alastair