Comment Summary 2-2-6
Version after 11/27 call
Accessible Authentication (A):
Required steps of an authentication process which rely upon recalling or transcribing information have one of the following:
- alternative required steps, which do not rely upon recalling or transcribing information
- an authentication-credentials reset process, which does not rely upon recalling or transcribing information
Except for when any of the following are true:
- Authentication process involves basic personal identification information to which the user has easy access, such as name, address, email address and identification or social security number.
- This is not achievable due to legal requirements.
Accessible Authentication comment responses
354: change the exception wording to legal requirements outside the control of the content owners
372: this is part of the discussion on essential
440: two-factor authentication processes are often not usable for people with cognitive and learning disabilities, and anyone with an impaired working memory. and this is a huge problem. however, two-factor authentication processes can become conforment by including a link in the authetification text that needs to be pressed, or use of a token. We will also give the issue paper on https://w3c.github.io/coga/issue-papers/privacy-security.html and the issues with copying information are discussed in https://www.w3.org/TR/coga-user-research/ )(On a personal note, today (27/11/2017), I had to log into my bank that uses sending me an sms that I need to copy. My account login was soon suspended due to too many errors. I had to login with their support on the phone so that they can reactivate it every time I make a mistake. Fortunatly their phone support do not have a automated menu so at least I could reach them. Had their phone system been an automated system I would not be able to use the site at all )
441: There are lots of techniques that do not require using email such as allowing page that conforms to this success cryteria with high level of security such as conforming to Web Authentication: An API for accessing Public Key Credentials, with biometics or a token or token CRM being allowed options. We will be building the offical techniques soon. example sites include
- the EU site for research funding which allows multiple log in methods, all of which have high level of security.
- the w3c site which allows you to set a new password each time you use it (which is actually how I use it).
You can use multi-factor authetification but you would need to use a token / bluetouth option offered as an alteritive to the coping step such as https://saaspass.com/about/bluetooth-ble-two-factor-authentication.html
resetting is just one option. Also see our draft understanding section at https://docs.google.com/document/d/13hmoaVU563kTio1EZD5mbNxcc0k924qVdZZwWckcbu0/edit#
442: Same as 440. also refer to the issue paper
473: Same as 440 and 441
503: Same as 440 and 441
542: as above
553: as above
(other comments we submitted after the comment period closed)