Fw: DRAFT Re: WAI help with WSC ISSUE-125

----- Forwarded by Mary Ellen Zurko/Westford/IBM on 02/04/2008 10:51 PM 
-----

From:
Al Gilman <Alfred.S.Gilman@ieee.org>
To:
w3c-wai-pf@w3.org
Cc:
Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date:
02/04/2008 09:27 PM
Subject:
DRAFT Re: WAI help with WSC ISSUE-125




On 25 Jan 2008, at 9:05 AM, Mary Ellen Zurko wrote:

>
> Hi Al,
>
> We've got another issue in wsc-xit that we could use some WAI help 
> with.
> http://www.w3.org/2006/WSC/track/issues/125
>
> We're addressing some issues around "shoulder surfing" in one of 
> our recommendations.
> http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask
>
> Right now, it's totally phrased in terms of visuals. We need to 
> know what the current functionality in screen readers and other 
> assistive technology is when it deals with passwords or other 
> strings that are generally masked on input. Can someone give us a 
> quick tutorial or some pointers? Thanks for your time and help.

Hi, MEZ:

My colleagues have given me a quick refresher.

http://lists.w3.org/Archives/Member/w3c-wai-pf/2008JanMar/ 
thread.html#msg81

A summary of the feedback so far is that:

(a) the behavior recommended by the blind community is that
the characters / keystrokes of password entry are not echoed
in the screen reader audio just as they are not echoed on the screen.

(b) by now, this recommended behavior is by and large
the actual user experience, when dealing with Operating System
widgets or Web forms through a screen reader.  Earlier, the
keystrokes were echoed from the keyboard interface without
regard for the security significance of the field being entered.
But the users complained, because a blind user can even less
tell who is listening than the sighted user will notice who
is watching.

caveat:

This does not address the barriers to use by people with
dyslexia and cognitive disabilities that are raised by
username:password as the authorization dialog.

Working around that barrier involves substituting authentication
mechanisms at a higher level than just non-echo of the password
field in a username:password pair.

This does not necessarily involve introducing any new
access control techniques into practice, but rather opening
up web applications to higher-security options that are
more forgiving of human conditions where the standard
technique raises barriers.

Examples could be password-generating devices for the dyslexic
and biometric authentication for the severely learning disabled.

Al

>           Mez
>
>
>

Received on Tuesday, 5 February 2008 03:52:37 UTC