W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > October to December 2017

Re: Accessible Authentication and issue responses

From: Patrick H. Lauke <redux@splintered.co.uk>
Date: Sat, 23 Dec 2017 18:56:04 +0000
To: w3c-wai-gl@w3.org
Message-ID: <30687c53-fc3d-389f-3ffa-2c0311cddd13@splintered.co.uk>
On 23/12/2017 18:39, Patrick H. Lauke wrote:
> On 23/12/2017 17:15, Alastair Campbell wrote:
>>  > How would a user be able to use another browser-based or 
>> extension-based password manager or similar tool on a public terminal, 
>> for instance?
>> Same applies to text-modifications, screenreaders and just about any 
>> AT. This is the content guideline.
> Not quite, I'd argue. This SC expressly forbids something from being 
> done, unless a user is able to use a password manager or similar, or 
> there's a  "governing statutory requirements". The same cannot be said 
> for, say, text-modifications.
> Imagine a web-based (internal) system that can only be accessed on 
> locked-down terminals. The system needs to authenticate users, but at 
> the same time doesn't allow installation of password managers, or access 
> to web-based password managers (and even if it did, the user would have 
> to log into the password manager?). Is there any way for this system to 
> pass the SC without compromising security/removing authentication 
> altogether?

Or is a way to pass this, in essence: use text fields that don't prevent 
autofill (i.e. regular text/password input fields), which can in theory 
be filled in by password managers/the UA? Because if so...this SC would 
only prohibit a small number of scenarios (like "enter the first, third 
and seventh digit of your secret number" or similar), and leave any 
other forms of login/authentication untouched (as, unless an author goes 
out of their way, fields will be automatically "populatable" by password 
managers/UAs). And is the exception really only for "name, username, 
password, identification number, and email address" ? Password 
managers/UAs can autofill other types of information as well. Would 
requiring another piece of information, even if it can be autofilled, 
prevent the exclusion from being applied?

Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke
Received on Saturday, 23 December 2017 18:56:29 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:19 UTC