Re: Feedback on Success Criterion 2.2.6 Accessible Authentication from Alastair Campbell on 2017-12-01 (w3c-wai-gl@w3.org from October to December 2017)

From: Alastair Campbell <acampbell@nomensa.com>
Date: Fri, 1 Dec 2017 09:19:10 +0000
To: lisa.seeman <lisa.seeman@zoho.com>
CC: Janina Sajka <janina@rednote.net>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>, public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Message-ID: <DC1B1EAA-1C9F-47CE-BE06-FAE50EF7E1C7@nomensa.com>

Hi Lisa,

> Writing down a paper your one password is very risky. People do it, but it means a care giver , plummer , delivery person can access it,

Risks are relative, if you keep it in a drawer then it is probably less risky than using the same password across different websites. The risks from password re-use are exploitable over the internet.


> Also things often go wrong at this point such as you upgrade your browser and your password manager doesn't work,  or the site updates it's interface. It is also hard for our usergroups to know which password managers are trustworthy.

Agreed, it isn’t magic ☺


> However if we have solutions that solve all these problems, then supporting these user agents  can become techniques, and this SC becomes really easy to conform to.

Well, at that stage it moves from Content to User-Agents.

Each browser has built-in password saving [1], and if you use multiple browsers then 1Password and Lastpass are the most recommended cross-browser password managers. (Keepass is also recommended, but more complex to manage).

The aspects of websites changing interface or blocking password managers is already recommended against by security organisations, this is an entertaining example:
https://www.troyhunt.com/the-cobra-effect-that-is-disabling/

Or an official one from the UK Gov department responsible for cyber security:
https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords


I think the US changed its guidance this year as well to encourage password paste-ability.

The question is whether we need an accessibility guideline to enforce something that is already a security and usability recommendation?

Cheers,

-Alastair

1]
Chrome: https://support.google.com/chrome/answer/95606?co=GENIE.Platform%3DDesktop&hl=en

FF: https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import

Edge: https://support.microsoft.com/en-gb/help/4028534/windows-remember-passwords-in-microsoft-edge

Safari: https://support.apple.com/kb/PH25230?locale=en_US

Received on Friday, 1 December 2017 09:19:43 UTC