Authentication on the Web: Issue List

From Research Questions Task Force


This page identifies issues associated with accessible authentication on the Web that are potentially of interest to the Research Questions Task Force. It is expected to be refined as work on this topic progresses.

Much of this work is likely to relate to the Web Authentication: An API for accessing Scoped Credentials none specification.

Further background relevant to this specification, and mentioned by participants in the Web Application Security Working Group, is the activity of the Fido Alliance. See Rolf Lindemann, The Evolution of Authentication: The Role of Secure Hardware in Overcoming Authentication Challenges.


Biometric Authentication Mechanisms

Biometric means of authentication necessarily make assumptions about the user's possessing certain biological characteristics and capabilities. These assumptions may fail to hold due to a person's disability, and this situation may change over time (e.g., in the circumstance of an acquired disability).

  • How should biometric authentication schemes be designed, having regard to human diversity?
  • What would constitute an appropriate set of alternative biometric authentication mechanisms capable of supporting the needs of a wide variety of users?
  • What, if any, are the security advantages and shortcomings of different biometric authentication mechanisms, and how should these considerations affect the guidance offered to developers of authentication systems in the design of their hardware and software?
  • What provisions, if any, should be made in forthcoming Web-related authentication standards, or in future W3C/WAI Guidelines, to support the development of biometric authentication schemes that are accessible to a wide variety of people with disabilities?

Multi-Factor Authentication

Multi-factor authentication procedures are becoming more common. While providing welcome security advantages, they can in some circumstances give rise to interesting questions of accessibility.

  • What guidance concerning accessibility should be offered to developers of multi-factor authentication systems? For example, some authentication hardware tokens provide only visually displayed output that is inherently inaccessible to certain users.
  • Do W3C/WAI Guidelines need to be extended to ensure the accessibility of applications that are protected by multi-factor authentication schemes by requiring the hardware and software to meet specific accessibility requirements? If so, what should be the content of such requirements?

Cross-Site Authentication Methods

Protocols such as OAuth enable services provided by a Web application to be authorized for use by a user whose identity is authenticated elsewhere, typically by a Web site designated by the provider of the application.

  • What requirements, if any, should providers of such applications and of the Web sites offering authentication services be expected to meet in ensuring the accessibility of the user's authentication experience?

Authentication in a remote learning context

A potential use case is accessibility implications of authentication methods for remote learners participating in a proctored text administered online. Issues that arise may relate to initial and ongoing authentication checks before and during a test.

  • What issues are encountered when trying to establish the identity of someone taking an online test?