Re: Accessible Authentication and issue responses from Patrick H. Lauke on 2017-12-23 (w3c-wai-gl@w3.org from October to December 2017)

From: Patrick H. Lauke <redux@splintered.co.uk>
Date: Sat, 23 Dec 2017 18:56:04 +0000
To: w3c-wai-gl@w3.org
Message-ID: <30687c53-fc3d-389f-3ffa-2c0311cddd13@splintered.co.uk>

On 23/12/2017 18:39, Patrick H. Lauke wrote:
> On 23/12/2017 17:15, Alastair Campbell wrote:
>>  > How would a user be able to use another browser-based or 
>> extension-based password manager or similar tool on a public terminal, 
>> for instance?
>>
>> Same applies to text-modifications, screenreaders and just about any 
>> AT. This is the content guideline.
> 
> Not quite, I'd argue. This SC expressly forbids something from being 
> done, unless a user is able to use a password manager or similar, or 
> there's a  "governing statutory requirements". The same cannot be said 
> for, say, text-modifications.
> 
> Imagine a web-based (internal) system that can only be accessed on 
> locked-down terminals. The system needs to authenticate users, but at 
> the same time doesn't allow installation of password managers, or access 
> to web-based password managers (and even if it did, the user would have 
> to log into the password manager?). Is there any way for this system to 
> pass the SC without compromising security/removing authentication 
> altogether?

Or is a way to pass this, in essence: use text fields that don't prevent 
autofill (i.e. regular text/password input fields), which can in theory 
be filled in by password managers/the UA? Because if so...this SC would 
only prohibit a small number of scenarios (like "enter the first, third 
and seventh digit of your secret number" or similar), and leave any 
other forms of login/authentication untouched (as, unless an author goes 
out of their way, fields will be automatically "populatable" by password 
managers/UAs). And is the exception really only for "name, username, 
password, identification number, and email address" ? Password 
managers/UAs can autofill other types of information as well. Would 
requiring another piece of information, even if it can be autofilled, 
prevent the exclusion from being applied?

P
-- 
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke

Received on Saturday, 23 December 2017 18:56:29 UTC