Re: working on re-authentication from Alastair Campbell on 2017-12-20 (w3c-wai-gl@w3.org from October to December 2017)

From: Alastair Campbell <acampbell@nomensa.com>
Date: Wed, 20 Dec 2017 14:57:29 +0000
To: lisa.seeman <lisa.seeman@zoho.com>
CC: Andrew Kirkpatrick <akirkpat@adobe.com>, Michael Gower <michael.gower@ca.ibm.com>, "Rochford, John" <john.rochford@umassmed.edu>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
Message-ID: <DB6PR0901MB0919EC5DF6E01CDB12E384A2B90C0@DB6PR0901MB0919.eurprd09.prod.outlook.>

I’m sure that would be beneficial from a user point of view, but then it is not possible to achieve with two factor without email.

The only (common and standards based) methods for two factor would be:
1. Email reset or magic link for 1st factor.
2. Webauth for second factor.

How would an email provider achieve this?

Remember that even with webauth, that replaces one factor, not both.

The good implementations you’ve shown still use username/password when logging in from a fresh browser, it is only relying on external auth after you have authenticated once (in that browser).

I’ve finished the training I was running today, so I’ll try to create another option now, barring travel-sickness.

Cheers,

-Alastair


_____________________________
From: lisa.seeman

Ahh, I assumed re-authentication just excluded the first time sign up.

I think it is better to stick with authentication  and add an exception for transcribing during sign in

All the best

Lisa Seeman

LinkedIn<http://il.linkedin.com/in/lisaseeman/>,

Received on Wednesday, 20 December 2017 14:57:55 UTC