- From: Korn, Peter <pkorn@lab126.com>
- Date: Tue, 13 Jul 2021 21:14:40 +0000
- To: Alastair Campbell <acampbell@nomensa.com>, "WCAG list (w3c-wai-gl@w3.org)" <w3c-wai-gl@w3.org>
- Message-ID: <827a695d0efa4beaa8565ee95a7165c2@EX13D27UWB003.ant.amazon.com>
Alaistair, If the effect is the same as extending the time, and is less effort then dealing with a dialogue which interrupts your flow and has to be read and consumed, I think it absolutely should be sufficient to satisfy this criteria. We did a similar analysis with the Solaris login, where any keyboard press to enter the next character of your username or password, reset the timeout. So as long as the user didn't take more than some number of minutes to enter their next character, they would be able to get through the login process more easily than if they had to get a warning message, and deal with that dialogue, and dismiss it, within that same timeout period. Regards, Peter From: Alastair Campbell <acampbell@nomensa.com> Sent: Tuesday, July 13, 2021 1:56 PM To: WCAG list (w3c-wai-gl@w3.org) <w3c-wai-gl@w3.org> Subject: [EXTERNAL] Timeouts and WebauthN CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi Folks, We have an outstanding question<https://github.com/w3c/wcag/issues/1885> on Accessibility Authentication, which is: If a login with WebauthN is used to pass Accessible Authentication, does that pass 2.2.1 Timing<https://www.w3.org/WAI/WCAG21/Understanding/timing-adjustable.html>? If you login with WebauthN, there is a timeout setting that defaults to 5 minutes: https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredentialcreationoptions-timeout From the timing understanding doc, it goes into detail trying to differentiate the 'content' from server-side/internet time-outs: "Time limits set externally to content, such as by the user agent or by factors intrinsic to the Internet are not under the author's control and not subject to WCAG conformance requirements." As far as I can tell, the website content is what sets the limit (in WebauthN it is the "Relying Party Server"). My understanding of the scenario is that: * You arrive at a login page; * You start the login process, essentially selecting a button; * You have 5 minutes (by default) to authenticate with your device (e.g. type in a pin, facial recognition); * If you manage to, you are logged in. * If you do not manage to, you have to hit the button again to start the process, and restart the 5 minutes. So the impact of not authenticating with your device in time is minimal, arguably less than having to hit a dialogue warning you of being logged out. Given that you are not logged out, could hitting the button again count as extending the time? Kind regards, -Alastair -- @alastc / www.nomensa.com<http://www.nomensa.com>
Received on Tuesday, 13 July 2021 21:15:19 UTC