Web Authentication evaluation from Rochford, John on 2017-11-08 (public-cognitive-a11y-tf@w3.org from November 2017)

From: Rochford, John <john.rochford@umassmed.edu>
Date: Wed, 8 Nov 2017 17:26:49 +0000
To: "lisa.seeman" <lisa.seeman@zoho.com>, public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Message-ID: <55BD19D83AA2BE499FBE026983AB2B580155AE5BB9@ummscsmbx10.ad.umassmed.edu>

Hi Lisa and All,

As Lisa requested, I reviewed the Web Authentication working draft<https://www.w3.org/TR/webauthn/>. I assessed what impact our Accessible Authentication SC<https://github.com/w3c/wcag21/issues/23> might have on it. (I saw nothing in the working draft that I thought would have an impact on our SC.)

3. Terminology<https://www.w3.org/TR/webauthn/#terminology> contains the following definition of user consent.
"User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts."

I think something fundamental is missing: following prompts. The bulleted list in our SC defines abilities people with cognitive disabilities may lack, and that are needed to follow such prompts.

Throughout the Web Authentication working draft<https://www.w3.org/TR/webauthn/>, there are multiple references to submitting passwords and PINs, to which our SC definitely applies.

Also, there are references to fixed periods in which user interaction is required. (See example below.) There is no discussion of enabling users to extend such periods.

4.1.5. Platform Authenticator Availability <https://www.w3.org/TR/webauthn/#isPlatformAuthenticatorAvailable>
"A timeout value on the order of 10 minutes is recommended; this is enough time for successful user interactions to be performed but short enough that the dangling promise will still be resolved in a reasonably timely fashion."

John

John Rochford<http://bit.ly/profile-rj>
UMass Medical School/E.K. Shriver Center
Director, INDEX Program
Instructor, Family Medicine & Community Health
www.DisabilityInfo.org
Twitter: @ClearHelper<https://twitter.com/clearhelper>

Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender immediately and destroy or permanently delete all copies of the original message.

Received on Wednesday, 8 November 2017 17:27:16 UTC