W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > October to December 2017

Re: working on re-authentication

From: Andrew Kirkpatrick <akirkpat@adobe.com>
Date: Wed, 20 Dec 2017 14:30:20 +0000
To: Alastair Campbell <acampbell@nomensa.com>, lisa.seeman <lisa.seeman@zoho.com>, Michael Gower <michael.gower@ca.ibm.com>, "Rochford, John" <john.rochford@umassmed.edu>
CC: "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
Message-ID: <6166A0D9-4995-4094-A6CD-A5877A7DC3F6@adobe.com>
So one solution to allow a site to pass the re-authentication SC would be to enforce a stricter security policy that requires full authentication each time?

Looks like Lisa is removing the “re-“ from the second option at https://docs.google.com/document/d/137g3JiV4n03JPn_qnGH4LXLjZ6Ow_wHmzgJWzHU3a5E/edit now anyway, so it may be moot.


Andrew Kirkpatrick
Group Product Manager, Accessibility


From: Alastair Campbell <acampbell@nomensa.com>
Date: Wednesday, December 20, 2017 at 09:07
To: Andrew Kirkpatrick <akirkpat@adobe.com>, "lisa.seeman@zoho.com" <lisa.seeman@zoho.com>, Michael Gower <michael.gower@ca.ibm.com>, "Rochford, John" <john.rochford@umassmed.edu>
Cc: WCAG <w3c-wai-gl@w3.org>
Subject: RE: working on re-authentication

> Can people clarify what “re-authentication” is exactly and how it differs from authentication?

We should probably add a definition, but basically it means that you have authenticated on a site/page once, the site is maintaining some state (e.g. a cookie), but returning to the page requires a reduced form of authentication.
I think there are broadly three types of behavior, sites will either:

  *   Auto-re-authentication: Maintain your session (via cookies), and you don’t have to (re)authenticate at all (e.g. twitter).
  *   Re-authentication: Detect your previous authentication (via cookies) and then ask for a password, or perhaps the second factor again to confirm it is you at the keyboard (e.g. lastpass when set to remember your username but not password).
  *   Authentication: Make you to authenticate from fresh every time you arrive (e.g. my bank).
It is the second case that we’re trying to catch with re-authentication, the last case does not make any effort to maintain a previous session, and the first doesn’t require anything of the user.
Received on Wednesday, 20 December 2017 14:30:52 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:18 UTC