Re: Accessible Authentication and issue responses

On 24/12/2017 00:07, Alastair Campbell wrote:
>> This SC expressly forbids something from being
>> done, unless a user is able to use a password manager or similar,
> 
> It doesn't specify how the user comes up with the username/password/ email etc.
> 
> It could be with long term memory, or user-agent based, or a piece of paper, or something else. (Yes, I know it says you can't rely on a user transcribing, but that is for the content - from one site-provided place to a site provided input.)

This aspect (of the copying from a piece of paper, or presumably then 
from another handheld device) isn't clear from the normative language.

Is this "copying" related to CAPTCHAs? Because again, this is a separate 
issue I'd argue, not an authentication one. It's a "challenge" rather 
than "authentication".

>> Imagine a web-based (internal) system that can only be accessed on
>> locked-down terminals. ... Is there any way for this system to
>> pass the SC without compromising security/removing authentication
>> altogether?
> 
> Sure, it could have a username/password and the content doesn't block pasting.
> The kiosk may not have anything to paste from, there is no user-benefit in that scenario, but the content passes.

Hoping that this gets very explicitly mentioned as an example in 
understanding then. Maybe it even warrants a note in the normative 
language, to talk about user agent/environment limitations? As well as 
an explanation somewhere what "governing statutory requirements" are in 
this context.

P
-- 
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke

Received on Sunday, 24 December 2017 01:37:13 UTC