Re: going though comments from 2.2.6 Accessible Authentication and new wording.

Some key points for the call today on accessible authentication for the wording draft  at https://www.w3.org/WAI/GL/wiki/2-2-6_Revision 

1.  we were concerned that web authentication specification which is a great standard way to meet this SC was not mature enough and did not have implementations. However this specification is now at wide review version and is on track for CR. They have implementations in  Microsoft Edge, the Google Chrome and the Mozilla Firefox browsers and working in different operating systems.  ( See https://www.w3.org/blog/webauthn/)


2. the only type of multi-factor identification that is bared is on involving coping a code. This method is being activity depreciate by NIST as insecure. Other methods are allowed (and more secure).  You can see more details in the email bellow. 


3. the use of a passport manager can be an allowed technique so long as specific conditions are met (the existence of password manager are not always enough when there are different username pairs etc)  We can discuss what conditions need to be met here when building this technique - for example,:  so long as the site does not bar their use (some sites do) and that the site  recommends passport manager(s) that are both adequately secure and do not themselves, rely on remembering a password itself (such as allowing a FIDO to log in to the passport manager) and have been tested to work with the site in different platforms.  We will also need a technique that explains how you can send a code when copy and paste is supported to reset credentials.


4. we asked the web authentication group for feedback months ago, and we also performed and passed a security audit on this success criteria.

All the best

Lisa 

---- On Mon, 18 Dec 2017 22:53:04 +0200 lisa.seeman<lisa.seeman@zoho.com> wrote ---- 

Hi
I made some small changes to the wording draft at https://www.w3.org/WAI/GL/wiki/2-2-6_Revision based on comments.
Please let us know if you object to any of the changes with the new wording


Changed "authentication" to "re-authentication"  based on Alisters suggestion to the list -29 Nov 2017
comment 608 (changed " alternative required steps,  which" to " alternative required steps, that")


comment 372 is also addressed in the new wording


comment 564 who see allowing legal loop hole. and want it to be closed by changing the wording from legal requirements to "governing statutory requirements ". If anyone objects to this I suggest we just say we need this loophole to enable it to be widely implemented, but would see this as bad faith . 


comments 553 and 542 , 441 (and part of #442) I suggest the following response: 
Multi-Factor Authentication means authentication through verification of at the following types of authentication factors still comply:
- Possession factors, such as a phone that send Bluetooth message option,  a token or reads an RQC code  ; usb device such as  FIDO U2F
-  Inherence factors, such as biometric characteristic alternatives .
also you can use Multi-Factor Authentication without these accessible options so long as an alternative is available such as FIDO and Webauth specification (which is at wide review version and is on track for CR. they have implementations in  Microsoft Edge, the Google Chrome and the Mozilla Firefox browsers and in different operating systems.  ( See https://www.w3.org/blog/webauthn/)


In fact the only type of multi-factor identification that is bared is on involving coping a code from an SMS. This method is being activity discouraged by NIST as insecure.


comments 503 and 440 : We could change the requirement to AA, to address  comments 503 and 440, however there are mature technolgies that are secure and do conform, and completely block users from using the application.  so it seems unessisary (although we may want to do it anyway)


comment 473 we can allow a technique were copy and paist can easily be implemented such as being sent a temporary password in an email. However this can also be encoded in the link which we prefer.


comment  354 requires the understanding section to be published. So hopefully that is now addressed.

All the best

Lisa Seeman

LinkedIn, Twitter

Received on Tuesday, 19 December 2017 13:10:24 UTC