RE: Accessible Authentication and issue responses

> I guess the "understanding" doc really needs to clarify some more aspects of this

NB: The understanding doc is very out of date, the SC text changed quite a bit in the last couple of weeks.

> But if a site can pass by simply having regular inputs that don't 
> somehow disable autofill, the push (if that's the intention) seems quite soft.

It depends what level of security you are aiming for as to how difficult. If you have 2 factor it does steer you towards particular solutions.
The recent changes (that I was pushing for) were about making it feasible for smaller sites which don't use 2 factor. If you do, you should aim for WebAuth mechanism (which puts the responsibility for tech choice on the user), rather than (or as well as) a type-in 6 digit in 30 seconds version.


> This aspect (of the copying from a piece of paper, or presumably then 
> from another handheld device) isn't clear from the normative language.

We are not trying to specify what is happening on the user-end, just what the site cannot rely on.

> Is this "copying" related to CAPTCHAs? Because again, this is a separate 
> issue I'd argue, not an authentication one. It's a "challenge" rather 
> than "authentication".

If you have to transcribe a captcha to authenticate then yes, if it is separate, no.

>> Sure, it could have a username/password and the content doesn't block pasting.
>> The kiosk may not have anything to paste from, there is no user-benefit in that scenario, but the content passes.
>
> Hoping that this gets very explicitly mentioned as an example in 
> understanding then. Maybe it even warrants a note in the normative 
> language, to talk about user agent/environment limitations? 

Is the content requirement not clear? Do we state that you can't (usually) use a screenreader in a kiosk environment?

The understanding doc does need updating, I can help with that early next year so long as everyone can live with the SC text for now.
But for now I'm hitting the road for Christmas, see you on the other side 😊

-Alastair

Received on Sunday, 24 December 2017 09:35:07 UTC