RE: Accessible authentication

The related issue that I have seen with apps and codes is that they are timed.  Generally you only have about 60 seconds to either activate "approve" or copy over a number.  The timing fail other SC like 2.2.1 unless you see it as an essential exception.


-----Original Message-----
From: Laura Carlson <> 
Sent: Friday, November 8, 2019 10:19 AM
To: Alastair Campbell <>; Rochford, John <>
Cc: WCAG list ( <>
Subject: Re: Accessible authentication

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi Alastair, John, and all,

Thanks to John for his tireless work on this SC. The following is an example from the University of Minnesota (UMN).

The UMN requires 2-factor authentication at sign-in:

First, a person must enter a passphrase. Then they need to a verify their identity with a device.

I have attached 3 screenshots to this email that illustrates the process. They are:

1. passphrase-sign-in-screenshot.png

The first Passphrase screenshot illustrates that a person needs to enter their internet ID (user name) and password (passphrase).

A year ago the UMN began requiring a less-complex set of password rules (pass phrases).

A checkbox is available to reset/recover a password (passphrase).

2. recover-passphrase-screenshot.png

The 2nd recover passphrase illustrates that to recover a password (if
needed) a person would enter their Internet ID (user name) or alternate email address and then:

* Answer password reset questions.
* Or enter their account’s alternate email address.
* If they have not set up a password reset question or cannot access an alternate email, they would need to phone Technology Help for assistance.

3. device-sign-in-screenshot.png

The 3rd screenshot illustrates that a person needs to select a device to authenticate with Duo. In this case an Android device is selected.
(Other options in this case were landlines and mobile phones.)

Then they need to choose an authentication method:

* Duo Push (Recommended)

* Call Me
* Passcode

A checkbox is available to remember the person  for 7 days.

Note: If a landline had been chosen as the device a person could have duo call that line and then they would have to press any key on that phone. Alternatively they could enter a "Passcode", which is a 9 digit number that the person needs to generate in advance.

Help options on all 3 screenshots include:

* Technology Help Website

* Call a Phone Number
* Chat Online
* Visit Walk-in Locations
* Email the Help Desk


* Duo Security at Sign In

* Authenticating with the Duo Prompt

* Remember Me for 7 Days

* Device Options

* Duo: Use the Duo Mobile App

* Duo: Use a Backup Device

* No WiFi or Cell Service

* Duo: Generate and Use a Bypass Code

Kind Regards,

On 11/7/19, Alastair Campbell <> wrote:
> Hi everyone,
> John Rochford has been continuing to work on the Accessible 
> Authentication SC, which is on the agenda for Tuesday.
> Something that would be very helpful for this SC is examples, both 
> good examples and challenging ones.
> For example, email providers are particularly challenging as you 
> cannot do a simple email reset. From what I can see:
>   *   Google provides multiple methods for 2nd factor authentication,
> including a very simple 'google prompt' [1] where you just tap 'yes' 
> in a gmail app on your device. However, username/password is the 
> primary step for login, I can't see a way around that.
>   *   Microsoft accounts default to username password, but if you use the
> Edge browser (possibly others) you can use Windows Hello [2] or a 
> security key instead.
>   *   Apple defaults to username and password. If you enable 2 factor, that
> is a 6 digit code to transcribe.
> So of the big platform & email providers, one enables you to avoid the 
> username/password step for their online account logins. You can also 
> do an email loop to a backup address, but I think you are then 
> resetting the password.
> As Bruce mentioned, a secure authentication requires at least 2 
> factors, e.g. something you know, something you have, or something you are.
> For the WebauthN approach, it is moving both to your device. I.e. you 
> have the device, and you authenticated to the device with something 
> you have/know (e.g. biometric or password/pin).
> So, does anyone else have any good and/or complex examples?
> Kind regards,
> -Alastair
> 1]

> why-you-should-set-up-prompt-based-2fa/
> 2]

> crosoft-account-windows-hello-security-key
> --
> tel: +44 (0)117 929 7333 / 07970 879 653 follow us: @we_are_nomensa or 
> me: @alastc Nomensa Ltd. King William House, 13 Queen Square, Bristol 
> BS1 4NT
> Company number: 4214477 | UK VAT registration: GB 771727411

Laura L. Carlson

Received on Friday, 8 November 2019 17:26:33 UTC