13:47:25 RRSAgent has joined #wcag2ict 13:47:29 logging to https://www.w3.org/2024/02/09-wcag2ict-irc 13:47:29 RRSAgent, make logs Public 13:47:30 Meeting: WCAG2ICT Task Force Teleconference 13:47:30 zakim, clear agenda 13:47:30 agenda cleared 13:47:36 chair: Mary Jo Mueller 13:47:41 meeting: WCAG2ICT Task Force Teleconference 13:48:03 meeting: WCAG2ICT Task Force Extra Friday Teleconference 13:48:18 rrsagent, make minutes 13:48:20 I have made the request to generate https://www.w3.org/2024/02/09-wcag2ict-minutes.html maryjom 13:56:23 PhilDay has joined #wcag2ict 13:58:38 Chuck has joined #wcag2ict 14:01:26 present+ 14:02:07 lost audio, working the issue 14:02:49 present+ 14:03:15 scribe+ PhilDay 14:03:42 TOPIC: Accessible Authentication Note 3 14:04:18 Sam has joined #wcag2ict 14:04:28 LauraBMiller has joined #WCAG2ICT 14:04:29 Using Google Doc https://docs.google.com/document/d/1op2IO_LEUr9hafvX1doPkwZ2iV1928o_dKgBVl5UYQk/edit#heading=h.1ko98jr234b2 14:04:35 Present+ 14:05:06 present+ 14:05:29 mitch11 has joined #wcag2ict 14:05:36 present+ 14:05:40 We have various proposals for Note 3 14:05:49 present+ 14:06:24 Note 3 Option 1: Original proposal NOTE 3: Device passwords, used to unlock a device, are out of scope for this requirement as these are not up to the author. 14:07:20 Looks like most preferred 4 or 7 (votes in the doc) 14:07:38 Note 3 Option 4: Mary Jo - An additional adjustment to the proposal from the 1 Feb. meeting NOTE 3: Passwords used to unlock the underlying platform or system are out of scope for this requirement when the authentication process is not up to the author of the software application. 14:07:47 Note 3 option 7 This requirement applies to any software that implements or includes an authentication process. Note: it does not apply to authentication processes that occur to platform layers below the software in question. 14:09:29 Note 3 option 7 - minor editorial This requirement applies to any software that implements or includes an authentication process. Note: it does not apply to authentication processes that occur in platform layers below the software in question. 14:11:00 Some of these options for note 3 have not been discussed yet - they were added after meetings from last week. 14:11:28 Note 3 option 7 - further editorial This requirement applies to any software that implements or includes an authentication process. Note: it does not apply to authentication processes that occur in platform layers underlying the software in question. 14:13:00 Sam: Option 5 is simpler to read. Option 7 has a nested note that is confusing 14:14:50 Note 3 option 7 - Mary Jo's latest edit, with below swapped for underlying This requirement applies to any software that implements or includes an authentication process. It does not apply to authentication processes that occur in the underlying platform software underlying the software in question. 14:16:07 Mary Jo: Note 3, option 5, was trying to avoid using the language "out of scope" 14:16:31 Sam: Doesn't necessarily exclude platform software - just about whether the author has control. 14:16:52 mitch11: Now happy with option 5 as well 14:17:15 Poll: Which option do you prefer for Note 3? 14:17:27 5 14:18:30 5 14:18:58 4, 5, or 7. I do agree with Mitch that all are rather similar 14:19:25 Looks like option 5 may be the winner... 14:19:38 maryjom: Just worry about the language "out of scope" 14:20:27 maryjom: We've previously only used out of scope in context of hardware 14:22:10 "does not apply" instead of "out of scope"? 14:24:06 Note 3 Option 5: Sam’s edit of option 1, removing out of scope: Passwords used to unlock platform software may be unable to apply to this requirement as these are not up to a software application’s author. 14:24:37 Note 3 Option 5: Sam’s edit of option 1, removing out of scope: Passwords used to unlock platform software may be unable to apply this requirement as these are not up to a software application’s author. 14:25:21 Software applications are not responsible for the authentication process of the underlying platform. 14:26:02 Passwords used to unlock platform software may be unable to apply this requirement when these are not up to a software application’s author. 14:26:55 +1 to Phil last one 14:26:56 Sam & Mitch : like not up to, or not under the control of... author 14:27:18 mitch11: Understanding text uses similar language 14:27:57 https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum.html#two-factor-authentication 14:28:57 "Evaluating whether or not the code can be seamlessly transferred from the secondary device to the primary device is outside of the scope for this Success Criterion. ..." 14:29:14 mitch11: So we could take a similar approach if we wanted 14:30:08 Poll: Which is your preferred option? 14:30:10 Note 3 Option 9: Edit of Sam’s option 5 Passwords used to unlock platform software may be unable to apply this requirement when these are not up to a software application’s author. 14:31:36 Note 3 Option 9: Edit of Sam’s option 5: Passwords used to unlock platform software may be unable to apply this requirement when the authentication process is not up to a software application’s author. 14:31:49 Option 5 then Option 9 14:31:55 LauraBMiller has joined #WCAG2ICT 14:31:57 prefer 5, accept 9 14:32:00 9, but also happy with 5 14:32:28 Chuck: Also prefers 5, as 9 reads like the password applies the requirement. 5 reads better, but understand the sentiment of 9 14:32:33 prefer 5 with addition of "underlying", accept 9 14:33:22 Note 3 Option 9: Edit of Sam’s option 5: Software authors may be unable to apply this success criterion to underlying platform software when the authentication process is outside their control. 14:33:56 Note 3 Option 10: Edit of Sam’s option 5: Software authors may be unable to apply this success criterion to underlying platform software when the authentication process is outside their control. 14:34:15 Prefer 5 14:34:34 5 is clearer - go with this, and take it to the full task force 14:34:47 Consensus from this small sub group is 5 is the least bad 14:34:59 Latest version: Note 3 Option 5: Sam’s edit of option 1: Passwords used to unlock the underlying platform software are out of scope for this requirement as these are not up to a software application’s author. 14:35:09 TOPIC: Note 5 14:35:22 TOPIC: Note 4 14:35:25 https://docs.google.com/document/d/1op2IO_LEUr9hafvX1doPkwZ2iV1928o_dKgBVl5UYQk/edit#heading=h.z3essot4tqpy 14:37:02 Note 4 Option 3: Mary Jo’s take (Move the note to Closed Functionality, and change it to the following) NOTE 4: Systems that are designed for shared use (such as in a public library) might block mechanisms typically used to assist the user, such as copying authentication information from a password manager. Instead, an alternative authentication method might be necessary, such as an identity card scanner. 14:37:06 Poll: Do you prefer option 3 or 4? 14:37:09 Note 4 Option 4: Phil’s modification (Move the note to Closed Functionality, and change it to the following) NOTE 4: Systems that are designed for shared use (such as in a public library) or have closed functionality might block mechanisms typically used to assist the user, such as copying authentication information from a password manager. Instead, an alternative authentication method might be helpful, such as an identity card scanner. 14:37:09 4 14:37:15 4, but happy with 3 14:37:22 4 14:37:32 4 14:37:37 4 14:37:55 Sam: Are we agreed to move this to closed functionality section? 14:38:34 Poll: Should Note 4 be moved to the closed functionality section? 14:38:36 +1 14:38:41 +1 14:38:43 +1 14:38:59 +1 14:39:10 Consensus from this sub group - go with option 4, and move to SC problematic for Closed functionality 14:39:43 mitch11: Noticed Gregg had an editorial - change 'mechanism' to 'method'. May speed things up prior to survey 14:40:24 maryjom: mechanism is used as the language in the SC 14:41:01 Note 4 Option 4b: Phil’s modification - method instead of mechanism (Move the note to Closed Functionality, and change it to the following) NOTE 4: Systems that are designed for shared use (such as in a public library) or have closed functionality might block method typically used to assist the user, such as copying authentication information from a password manager. Instead, an alternative authentication method might be helpful, such as an[CUT] 14:41:11 TOPIC: Note 5 14:41:19 https://docs.google.com/document/d/1op2IO_LEUr9hafvX1doPkwZ2iV1928o_dKgBVl5UYQk/edit#heading=h.rkhvefkum5cm 14:42:06 Poll: Which option do you prefer? 14:43:30 3, but it might make sense to move to SC problematic for closed 14:44:20 3 14:45:37 Where standards for banking or security have authentication requirements that are regulated or strictly enforced, those requirements may supersede the 3.3.8 Accessible Authentication (Minimum). For example, some [software applications | systems with closed functionality], particularly those that handle financial transactions, have a requirement for a personal identification number (PIN) for authentication. 14:47:10 LauraBMiller: Like removal of the problematic. There are methods to help people to enter PIN on glass. 14:47:22 Chuck: Would like to subtract a portion from note 5 14:48:11 Chuck: Was using option 3 of note 5 14:48:34 LauraBMiller: Agree that simplifying option 3 improves it 14:48:51 Note 5 Option 3: A variation of Option 2 calling out conflicting standards/regulations, removing “problematic” [Use both in the general section and in closed functionality, saying “software applications” for the former or “systems with closed functionality” for the latter (in bold).] NOTE 5: Where standards for banking or security have authentication requirements that are regulated or strictly enforced, those requirements may sup[CUT] 14:49:02 ... 14:49:04 ... Authentication (Minimum). For example, some [software applications | systems with closed functionality], particularly those that handle financial transactions, have a requirement for a personal identification number (PIN) for authentication. 14:49:12 +1 14:49:17 +1 14:49:24 NOTE 5: Where standards for banking or security have authentication requirements that are regulated or strictly enforced, those requirements may supersede the 3.3.8 Accessible Authentication (Minimum). For example, some [software applications | systems with closed functionality], particularly those that handle financial transactions, have a requirement for a personal identification number (PIN) for authentication. 14:49:25 Poll: Can we use Option 3 and delete the last two sentences? 14:49:30 +1 14:49:33 +1 14:50:08 +1 with one edit: change "supersede" to "legally supersede" 14:51:12 with Mitch's tweak: NOTE 5: Where standards for banking or security have authentication requirements that are regulated or strictly enforced, those requirements may legally supersede the 3.3.8 Accessible Authentication (Minimum). For example, some [software applications | systems with closed functionality], particularly those that handle financial transactions, have a requirement for a personal identification number (PIN) for authentication. 14:51:33 +0.75 14:51:44 +1 14:51:45 Poll: agree with above language, and propose to the TF it be added to the SC problematic for closed functionality 14:51:48 +1 14:51:49 +1 14:51:54 +1 14:52:02 +1.25 14:52:08 +1 14:52:54 mitch11: happy for it to not be in general SC - and only apply to closed. 14:53:18 maryjom: Could add an editor's note: are there any non-closed systems that this might apply to as well? 14:54:22 Next Friday we will return to adjustments to Reflow. We were working on public comments that touch on this 14:55:31 If there any items from problematic for closed that you have been working on and want to bring to the Friday meeting - let Mary Jo know 14:55:59 rrsagent, draft minutes 14:56:01 I have made the request to generate https://www.w3.org/2024/02/09-wcag2ict-minutes.html PhilDay 14:56:42 zakim, bye 14:56:42 leaving. As of this point the attendees have been PhilDay, Chuck, LauraBMiller, maryjom, Sam, mitch 14:56:42 Zakim has left #wcag2ict 14:57:10 zakim, end meeting 14:57:25 rrsagent, bye 14:57:25 I see no action items