RE: working on re-authentication from White, Jason J on 2017-12-20 (w3c-wai-gl@w3.org from October to December 2017)

From: White, Jason J <jjwhite@ets.org>
Date: Wed, 20 Dec 2017 18:23:15 +0000
To: Alastair Campbell <acampbell@nomensa.com>, Andrew Kirkpatrick <akirkpat@adobe.com>, lisa.seeman <lisa.seeman@zoho.com>
CC: Michael Gower <michael.gower@ca.ibm.com>, "Rochford, John" <john.rochford@umassmed.edu>, "W3c-Wai-Gl-Request@W3. Org" <w3c-wai-gl@w3.org>
Message-ID: <DM5PR07MB2971DC9474238F96FDF5A3E0AB0C0@DM5PR07MB2971.namprd07.prod.outlook.com>

From: Alastair Campbell [mailto:acampbell@nomensa.com]
Sent: Wednesday, December 20, 2017 11:08 AM

In usability testing, which wasn't exactly on this, but close as we gave people made-up information to type in as part of usability testing, it can take 5-10 seconds per character, if they are patient and motivated. The typical time-based-one time code is 6 characters to type in within 30 seconds.

We can discuss degree, but personally I've seen enough to know it is a real issue and any transcription will prevent some people from completing that task.
[Jason] According to this summary:
https://pthree.org/2014/04/15/time-based-one-time-passwords-how-it-works/
given the default time-based one-time password interval of 30 seconds, servers are typically configured to accept any of the previous, current and next values as valid. Thus, if a new TOTP code becomes available now, it will remain valid for 90 seconds, assuming these defaults are in place.

All I need is the ability to "freeze" the display of new passwords in order to have 90 seconds in which to transcribe six digits. In principle, these could be presented visually, spoken (with or without highlighting), in braille, or in any combination of modalities. The question on which we need reliable evidence, then, is whether there are people with cognitive disabilities such that (1) they can't complete this task, (2) they can use alternative authentication methods, and (3) they can use general-purpose WCAG-conformant Web applications effectively.


________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________

Received on Wednesday, 20 December 2017 18:23:40 UTC