Re: working on re-authentication from Andrew Kirkpatrick on 2017-12-20 (w3c-wai-gl@w3.org from October to December 2017)

From: Andrew Kirkpatrick <akirkpat@adobe.com>
Date: Wed, 20 Dec 2017 15:19:26 +0000
To: lisa.seeman <lisa.seeman@zoho.com>, Alastair Campbell <acampbell@nomensa.com>
CC: Michael Gower <michael.gower@ca.ibm.com>, "Rochford, John" <john.rochford@umassmed.edu>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
Message-ID: <B81CE66D-0F11-482E-9C84-599663FC1139@adobe.com>

Here’s a bunch of questions that I think that we will be expected to know the answers to related to this SC:

  1.  Regarding user’s abilities to memorize information, don’t browser/OS capabilities or separate tools (e.g. splash ID, LastPass, etc) to support recall of login information mitigate this problem to manageable levels?
  2.  Regarding the ability to transcribe information, this includes:
     *   Typing in characters/numbers that are displayed on a app/extension/device
     *   Typing in characters/numbers that are voiced out loud
     *   Anything else?
  3.  Regarding the ability to transcribe information, what kind of barrier does this create for users – is it a complete barrier or something less? In one of the current options it seems that transcribing a one-time code is ok for the first time – why is it not a barrier the first time but is a barrier after that?
  4.  It seems that there is a possible conflict with 1.1.1. In that SC there is language about using CAPTCHA, which is sometimes used as part of an authentication process. It seems that providing a multi-modal approach which uses but doesn’t rely exclusively on visual CAPTCHA is  ok under 1.1.1 but may be forbidden in this SC? The SC text for CAPTCHA reads:
“CAPTCHA<https://www.w3.org/TR/WCAG20/#CAPTCHAdef>: If the purpose of non-text content is to confirm that content is being accessed by a person rather than a computer, then text alternatives that identify and describe the purpose of the non-text content are provided, and alternative forms of CAPTCHA using output modes for different types of sensory perception are provided to accommodate different disabilities.”
  5.  Are there examples of sites that currently pass the proposed SC language without relying on the exceptions?

Thanks,
AWK

Andrew Kirkpatrick
Group Product Manager, Accessibility
Adobe

akirkpat@adobe.com
http://twitter.com/awkawk


From: "lisa.seeman@zoho.com" <lisa.seeman@zoho.com>
Date: Wednesday, December 20, 2017 at 09:38
To: Alastair Campbell <acampbell@nomensa.com>
Cc: Andrew Kirkpatrick <akirkpat@adobe.com>, Michael Gower <michael.gower@ca.ibm.com>, "Rochford, John" <john.rochford@umassmed.edu>, WCAG <w3c-wai-gl@w3.org>
Subject: RE: working on re-authentication

Ahh, I assumed re-authentication just excluded the first time sign up.

I think it is better to stick with authentication  and add an exception for transcribing during sign in
All the best

Lisa Seeman

LinkedIn<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fil.linkedin.com%2Fin%2Flisaseeman%2F&data=02%7C01%7Cakirkpat%40adobe.com%7Cb1e60e0a8c9b441f842108d547b749ab%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636493774913491264&sdata=k82jqIgetPJcWkwKklNaEFCurENskXxW8bWSklanDK0%3D&reserved=0>, Twitter<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FSeemanLisa&data=02%7C01%7Cakirkpat%40adobe.com%7Cb1e60e0a8c9b441f842108d547b749ab%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636493774913491264&sdata=VpbjZPZUOEUAlXahMXUuqZ2scIFJ9e9rY%2FjalqikLyI%3D&reserved=0>



---- On Wed, 20 Dec 2017 16:07:36 +0200 Alastair Campbell<acampbell@nomensa.com> wrote ----
> Can people clarify what “re-authentication” is exactly and how it differs from authentication?

We should probably add a definition, but basically it means that you have authenticated on a site/page once, the site is maintaining some state (e.g. a cookie), but returning to the page requires a reduced form of authentication.
I think there are broadly three types of behavior, sites will either:

  *   Auto-re-authentication: Maintain your session (via cookies), and you don’t have to (re)authenticate at all (e.g. twitter).
  *   Re-authentication: Detect your previous authentication (via cookies) and then ask for a password, or perhaps the second factor again to confirm it is you at the keyboard (e.g. lastpass when set to remember your username but not password).
  *   Authentication: Make you to authenticate from fresh every time you arrive (e.g. my bank).
It is the second case that we’re trying to catch with re-authentication, the last case does not make any effort to maintain a previous session, and the first doesn’t require anything of the user.
HTH,
-Alastair

Received on Wednesday, 20 December 2017 15:20:00 UTC