<MichaelC> trackbot, start meeting
<kirkwood> Its a really tough week in the US. big holiday time
<kirkwood> I’d expect more in the next week possibly
<kirkwood> everyone is so different and the others not on the call would be best to get input from
<kirkwood> i think ;)
<Lisa> take off the 21 st and 28th
<kirkwood> yes good w/ me
<EA> EA please can you put the dates here as my line is very poor again - sorry
<Lisa> take off the 21 st and 28th
<EA> me too hearing is very difficult for me as well
<MarkWilcock> The quality is poor for me as well.
<scribe> Scribe: Jan
Item: Update to WCAG 2.1
Lisa: If we don't address all of the comments on the SCs, then they will either be dropped or marked at risk
... just because SCs get into the draft, that does not mean that they will get through consensus.
... today's deadline, purpose of controls will be addressed on the call. It looks like it will make it in. The other SCs did not get time for a review.
Authentification is stuck right now - it got an hour discussion, but did not reach consensus.
Lisa: If we write to the list that we are okay with the modified wording of Authentication, then it might get in.
... Alistair's wording is a compromise:
<Lisa> Essential steps of a single-factor re-authentication process which relies on recalling or transcribing information has one of the following: alternative essential steps, which do not rely upon recalling or transcribing information. an authentication-credentials reset process, which does not rely upon recalling or transcribing information Except that the authentication process can rely on the user inputting basic personal information such as name, address, email
<Lisa> Unless there are legal requirements for a recall or transcribe method of authentication.
Lisa: There was aggressive debate about how do we know that copying information is difficult for people. Because there was a lack of feedback on the call about it, it would help for people to say it.
EA: I thought there was a mention of copying from SMS being difficult - I have been looking for research to back that up that recall is compromised for certain populations, but so far have not been able to find anything.
<kirkwood> thats very very good point EA!
EA: the problem is that I am seeing this in other people, not myself
Lisa: That is fine - your experience is really good
... EA, do you think it's worth having it in?
EA: It is better to have it in than to lose it.
<kirkwood> I think we should try and have it in
Lisa: The problem with this is that the way around this SC is to have multi-step authentication because we are calling out single-factor in the SC. Do we prefer having multiple steps?
<kirkwood> it seems that would be more difficult to me too
The problem with calling out "single-factor" re-authentication is that you can get around this with a multi-step authentication process that DOES require transcription AND adds more steps. I believe this will result in making things more difficult for people with cognitive disabilities, rather than less difficult.
<EA> +1 to Jan's comment
Lisa: Should we propose that this be labeled at risk, or have the original wording moved to AAA?
<Lisa> mark agrees as well
<EA> Mark is right
Mark: Most websites will likely go with a multi-step authentication anyway, so I think we should consider going down the path of AAA with the original wording.
<Lisa> our proposal is to ask that it is labed at risk with a note that it may be moved to AAA
+1 to the proposal
<EA> Usability of Single- and Multi-factor Authentication Methods on Tabletops: A Comparative Study
EA: There is a paper on this subject
Lisa: We need to get this paper sent to the AG list from EA
EA: I will download the article and highlight the issues and then send. I am concerned that it may not be robust enough.
Lisa: The understandings section is really important. Do we have any volunteers to look at the Understandings document for authentication?
... I will send the Understandings Document to the list so that we can add more examples of why this is important.
<Lisa> > * Where data can be lost due to user inactivity, users are warned once, > before an activity timer is set, about the estimated length of inactivity > that generates the data loss, unless the data is preserved for a minimum of > 20 hours of user inactivity.*
<kirkwood> i think the 20 hours was the major problem with it no? my recollection might be off
<EA> I could not work out why it changed from 24 to 20?
<kirkwood> it was having the server hold the info/session for that amount of time, maybe i’m wrong
<Lisa> The coga task force can live with the following wording for time outs Where data can be lost due to user inactivity, users are warned once, before an activity timer is set, about the estimated length of inactivity that generates the data loss, unless the data is preserved for a minimum of 20 hours of user inactivity. however we do object to the change the hours from 20 to 24 , but we would rather it goes in with that change then be left out.
<Lisa> open an isue with any and all new terms