Re: Feedback on Success Criterion 2.2.6 Accessible Authentication

Hi whilst I fully support security
holding number sequences in working memory can be problematic. I know Mike Gower wants to know what a maximum acceptable number would be but I honestly cannot say as depending on how stressed and distracted I am I might be able to manage 2, 4 or 6 without making a mess of it.

Many people with acquired brain injuries are likely to struggle too.

This is why I sold my soul to touchID using biometrics as the 2nd factor has made my life inordinately easier.

Failing that being able to copy and paste   The number from the message is preferable to trying to remember it.

Neil Milliken BA Oxon, MBA Open, FRSA, Atos Distinguished Expert
Head of Accessibility & Digital Inclusion
Atos
T: +442036180957<tel:+442036180957>
M: 07812325386<tel:07812325386>
E: Neil.Milliken@atos.net<mailto:Neil.Milliken@atos.net>
www: http://atos.net/iux

Twitter:@neilmilliken<https://twitter.com/neilmilliken>
Assistant Monika Tomczak
E: Monika.Tomczak@atos.net<mailto:Monika.Tomczak@atos.net>
M: +48517727304<tel:+48517727304>


On 30 Nov 2017, at 19:03, lisa.seeman <lisa.seeman@zoho.com<mailto:lisa.seeman@zoho.com>> wrote:

Hi Alister

Passwords are not conformant. They are a huge problem

However , the task force felt that coping text from the phone is often a bigger problem


So solving one problem by pushing the industry towards a problem that is sometimes worse, does not not seem worth the effort.


All the best

Lisa Seeman

LinkedIn<http://il.linkedin.com/in/lisaseeman/>, Twitter<https://twitter.com/SeemanLisa>




---- On Thu, 30 Nov 2017 19:38:37 +0200 Alastair Campbell<acampbell@nomensa.com<mailto:acampbell@nomensa.com>> wrote ----
HI Lisa,

I don’t think we’re understanding each other, where you said:

> Multi step authentication can work with a token, Bluetooth  or RQ code, or you just have an alternative that you allow that conforms for people who can not use it.

Those are typical 2nd factors, but what is the first factor?

Going back to my previous email, the options (techniques) we have for the 2-factor scenario are:

-----------
2. A site that does username/password plus a second factor, such as an app that generates a 6 digit number every 30 seconds (like Google Auth).

  *   After having created a username/password, allow a ‘magic link’ email login, AND have a 2FA style login where you authenticate on a separate mobile app, or custom USB token generator.
(Note that slack and I think Linkedin provide 2FA with a number-generator you have to copy across.)

  *   ???
-----------

So the ‘magic link’ technique would be the first factor, and then WebAuth would be the only (feasible web) option for second factor, and that is currently Chrome-only.


> The concern of the task force is that scoping out two step authentication will push sites away from using passwords towards non conformant types of multi step authentication which

Ok, now I’m confused, are passwords conformant? I thought that was the primary problem!


> We require an alternative for visual capture to accommodate the blind

Yes, if someone implements a captcha they have to create an (audio) alternative, these are of the same scale of effort. We don’t ask them to setup a call-centre.

-Alastair


Atos, Atos Consulting, Worldline and Canopy The Open Cloud Company are trading names used by the Atos group. The following trading entities are registered in England and Wales: Atos IT Services UK Limited (registered number 01245534), Atos Consulting Limited (registered number 04312380), Atos Worldline UK Limited (registered number 08514184) and Canopy The Open Cloud Company Limited (registration number 08011902). The registered office for each is at 4 Triton Square, Regent’s Place, London, NW1 3HG.The VAT No. for each is: GB232327983.

This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos therefore can accept no liability for any errors or their content. Although Atos endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos by email.

Received on Thursday, 30 November 2017 19:33:00 UTC