- From: lisa.seeman <lisa.seeman@zoho.com>
- Date: Mon, 18 Dec 2017 22:53:04 +0200
- To: "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
- Cc: "public-cognitive-a11y-tf" <public-cognitive-a11y-tf@w3.org>, "Rochford, John" <john.rochford@umassmed.edu>
- Message-Id: <1606b64ec98.10dab9e1743625.2801253615506524306@zoho.com>
Hi I made some small changes to the wording draft at https://www.w3.org/WAI/GL/wiki/2-2-6_Revision based on comments. Please let us know if you object to any of the changes with the new wording Changed "authentication" to "re-authentication" based on Alisters suggestion to the list -29 Nov 2017 comment 608 (changed " alternative required steps, which" to " alternative required steps, that") comment 372 is also addressed in the new wording comment 564 who see allowing legal loop hole. and want it to be closed by changing the wording from legal requirements to "governing statutory requirements ". If anyone objects to this I suggest we just say we need this loophole to enable it to be widely implemented, but would see this as bad faith . comments 553 and 542 , 441 (and part of #442) I suggest the following response: Multi-Factor Authentication means authentication through verification of at the following types of authentication factors still comply: - Possession factors, such as a phone that send Bluetooth message option, a token or reads an RQC code ; usb device such as FIDO U2F - Inherence factors, such as biometric characteristic alternatives . also you can use Multi-Factor Authentication without these accessible options so long as an alternative is available such as FIDO and Webauth specification (which is at wide review version and is on track for CR. they have implementations in Microsoft Edge, the Google Chrome and the Mozilla Firefox browsers and in different operating systems. ( See https://www.w3.org/blog/webauthn/) In fact the only type of multi-factor identification that is bared is on involving coping a code from an SMS. This method is being activity discouraged by NIST as insecure. comments 503 and 440 : We could change the requirement to AA, to address comments 503 and 440, however there are mature technolgies that are secure and do conform, and completely block users from using the application. so it seems unessisary (although we may want to do it anyway) comment 473 we can allow a technique were copy and paist can easily be implemented such as being sent a temporary password in an email. However this can also be encoded in the link which we prefer. comment 354 requires the understanding section to be published. So hopefully that is now addressed. All the best Lisa Seeman LinkedIn, Twitter
Received on Monday, 18 December 2017 20:53:35 UTC