RE: Accessible Authentication and issue responses

> This SC expressly forbids something from being 
> done, unless a user is able to use a password manager or similar, 

It doesn't specify how the user comes up with the username/password/ email etc.

It could be with long term memory, or user-agent based, or a piece of paper, or something else. (Yes, I know it says you can't rely on a user transcribing, but that is for the content - from one site-provided place to a site provided input.)


> Imagine a web-based (internal) system that can only be accessed on 
> locked-down terminals. ... Is there any way for this system to 
> pass the SC without compromising security/removing authentication 
> altogether?

Sure, it could have a username/password and the content doesn't block pasting. 
The kiosk may not have anything to paste from, there is no user-benefit in that scenario, but the content passes. 

-Alastair

Received on Sunday, 24 December 2017 00:08:23 UTC