W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > October to December 2017

RE: Feedback on Success Criterion 2.2.6 Accessible Authentication

From: Alastair Campbell <acampbell@nomensa.com>
Date: Thu, 30 Nov 2017 23:52:23 +0000
To: Janina Sajka <janina@rednote.net>, lisa.seeman <lisa.seeman@zoho.com>
CC: "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>, public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Message-ID: <DB6PR0901MB091998215A1D998EC53F6C60B9380@DB6PR0901MB0919.eurprd09.prod.outlook.com>
Janina wrote:
> I would like to note that copying a code sent via SMS is usually an option... where the code is read out twice by the automated 

Steve wrote:
> but just so you are aware, there have been devices out there doing this without transcription for some time, 
> e.g. https://www.yubico.com/...

No one is disputing there are many 2nd factor options (which can be 1st factor re-authentication), but as I outlined before [1] they are either:

- Expensive to implement (as a website owner you have to buy into a service, or implement the backend for it)
- Reliant on WebAuth, which is a good solution, but chrome-only at the moment.

John wrote:
> some of these tools also assist and manage the storing of passwords ... the point being that we cannot and should not put all of the heavy lifting on the content developers, as content alone cannot solve all problems.

This is a good point, I'm not sure why that hasn't factored in to the discussion more. I use a password manager, so I only need to remember 1 password (which could be written down on paper), and I only need to use it about every 30 days. It is easier and more secure than any alternative I have come across for day to day authentication on the web.

 Kind regards,


1] https://lists.w3.org/Archives/Public/w3c-wai-gl/2017OctDec/0722.html 

Received on Thursday, 30 November 2017 23:52:54 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:18 UTC