Re: some questions: : working on re-authentication

> as worded - the logic is circular.

I don’t understand why you think that?

> the "if not block” should be a technique not a requirement or exception.

Some sites intentionally block user-agents from filing in form fields, how would you phrase it? As far as I can tell, we have to provide a short list of things that we except from the no-recal/transcribe requirement in order to both help users, and make it feasiable.


  *   have to give personal (very personal) info to every tom dick and harry website

You know you can use username/passsword? How is that different from every site now? There is a short list of items we can rely on people entering (bypassing the no-recall/transcribe requirement). Those should not be the only method, they are part of alternative methods.


  *   you need to use biometrics  — and the author of a webpage cannot know if biometrics are available on the other end ( and in fact they are NOT available on the other end much of the time)

You don’t have to use biometrics, but if a site setup that facility, it would know it was available. It would work on a per-account basis, so as long as the user can enter their username (or equivalent) identifying information, the site can provide the 2nd factor they have setup.

-Alastair

Received on Sunday, 24 December 2017 08:07:03 UTC