> This SC expressly forbids something from being > done, unless a user is able to use a password manager or similar, It doesn't specify how the user comes up with the username/password/ email etc. It could be with long term memory, or user-agent based, or a piece of paper, or something else. (Yes, I know it says you can't rely on a user transcribing, but that is for the content - from one site-provided place to a site provided input.) > Imagine a web-based (internal) system that can only be accessed on > locked-down terminals. ... Is there any way for this system to > pass the SC without compromising security/removing authentication > altogether? Sure, it could have a username/password and the content doesn't block pasting. The kiosk may not have anything to paste from, there is no user-benefit in that scenario, but the content passes. -AlastairReceived on Sunday, 24 December 2017 00:08:23 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:19 UTC