- From: Laura Carlson <laura.lee.carlson@gmail.com>
- Date: Fri, 8 Nov 2019 09:19:23 -0600
- To: Alastair Campbell <acampbell@nomensa.com>, "Rochford, John" <john.rochford@umassmed.edu>
- Cc: "WCAG list (w3c-wai-gl@w3.org)" <w3c-wai-gl@w3.org>
- Message-ID: <CAOavpvdqOPE=C2fRBjZJqYH3k1D-9=GYpJHHqw_YzJJYocfYhA@mail.gmail.com>
Hi Alastair, John, and all, Thanks to John for his tireless work on this SC. The following is an example from the University of Minnesota (UMN). The UMN requires 2-factor authentication at sign-in: https://it.umn.edu/technology/duo-two-factor-authentication First, a person must enter a passphrase. Then they need to a verify their identity with a device. I have attached 3 screenshots to this email that illustrates the process. They are: 1. passphrase-sign-in-screenshot.png The first Passphrase screenshot illustrates that a person needs to enter their internet ID (user name) and password (passphrase). A year ago the UMN began requiring a less-complex set of password rules (pass phrases). https://it.umn.edu/good-practice/create-secure-memorable-passphrase A checkbox is available to reset/recover a password (passphrase). 2. recover-passphrase-screenshot.png The 2nd recover passphrase illustrates that to recover a password (if needed) a person would enter their Internet ID (user name) or alternate email address and then: * Answer password reset questions. * Or enter their account’s alternate email address. * If they have not set up a password reset question or cannot access an alternate email, they would need to phone Technology Help for assistance. 3. device-sign-in-screenshot.png The 3rd screenshot illustrates that a person needs to select a device to authenticate with Duo. In this case an Android device is selected. (Other options in this case were landlines and mobile phones.) Then they need to choose an authentication method: * Duo Push (Recommended) https://it.umn.edu/duo-use-duo-mobile-app#push * Call Me * Passcode https://it.umn.edu/duo-generate-use-bypass-code A checkbox is available to remember the person for 7 days. Note: If a landline had been chosen as the device a person could have duo call that line and then they would have to press any key on that phone. Alternatively they could enter a "Passcode", which is a 9 digit number that the person needs to generate in advance. Help options on all 3 screenshots include: * Technology Help Website https://it.umn.edu/technology-help-our-staff * Call a Phone Number * Chat Online * Visit Walk-in Locations * Email the Help Desk References: * Duo Security at Sign In https://it.umn.edu/duo-security-sign-in * Authenticating with the Duo Prompt https://guide.duo.com/prompt * Remember Me for 7 Days https://it.umn.edu/duo-security-sign-in/remember-me-7-days * Device Options https://it.umn.edu/duo-security-sign-in/device-options * Duo: Use the Duo Mobile App https://it.umn.edu/duo-use-duo-mobile-app * Duo: Use a Backup Device https://it.umn.edu/duo-use-backup-device * No WiFi or Cell Service https://it.umn.edu/duo-no-wifi-no-cell-service-no-problem * Duo: Generate and Use a Bypass Code https://it.umn.edu/duo-generate-use-bypass-code Kind Regards, Laura On 11/7/19, Alastair Campbell <acampbell@nomensa.com> wrote: > Hi everyone, > > John Rochford has been continuing to work on the Accessible Authentication > SC, which is on the agenda for Tuesday. > > Something that would be very helpful for this SC is examples, both good > examples and challenging ones. > > For example, email providers are particularly challenging as you cannot do a > simple email reset. From what I can see: > > * Google provides multiple methods for 2nd factor authentication, > including a very simple 'google prompt' [1] where you just tap 'yes' in a > gmail app on your device. However, username/password is the primary step for > login, I can't see a way around that. > > * Microsoft accounts default to username password, but if you use the > Edge browser (possibly others) you can use Windows Hello [2] or a security > key instead. > > * Apple defaults to username and password. If you enable 2 factor, that > is a 6 digit code to transcribe. > > So of the big platform & email providers, one enables you to avoid the > username/password step for their online account logins. You can also do an > email loop to a backup address, but I think you are then resetting the > password. > > As Bruce mentioned, a secure authentication requires at least 2 factors, > e.g. something you know, something you have, or something you are. > > For the WebauthN approach, it is moving both to your device. I.e. you have > the device, and you authenticated to the device with something you have/know > (e.g. biometric or password/pin). > > So, does anyone else have any good and/or complex examples? > > Kind regards, > > -Alastair > > 1] > https://nakedsecurity.sophos.com/2018/04/26/gmail-users-heres-how-and-why-you-should-set-up-prompt-based-2fa/ > 2] > https://support.microsoft.com/en-us/help/4463210/windows-10-sign-in-microsoft-account-windows-hello-security-key > > -- > > www.nomensa.com<http://www.nomensa.com/> > tel: +44 (0)117 929 7333 / 07970 879 653 > follow us: @we_are_nomensa or me: @alastc > Nomensa Ltd. King William House, 13 Queen Square, Bristol BS1 4NT > > Company number: 4214477 | UK VAT registration: GB 771727411 -- Laura L. Carlson
Attachments
- image/png attachment: passphrase-sign-in-screenshot.png
- image/png attachment: recover-passphrase-screenshot.png
- image/png attachment: device-sign-in-screenshot.png
Received on Friday, 8 November 2019 15:19:28 UTC