WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: Accessible authentication and "transcription"

for

From: Geethavani.Shamanna
Date: Oct 9, 2023 7:22AM

Interesting. The government (the National Savings and Investment) website here in the UK uses a type of authentication where the user receives a phone call. While on the call, the user has to type the code that appears on the computer screen into the phone. Finding the code used to be difficult, but they have now added an aria-live region, so the code is announced when it appears on the screen. I still think many screen reader users may struggle to get the code and input it on the phone within 10 seconds or whatever time the call remains active.

Geetha
-----Original Message-----
From: WebAIM-Forum < <EMAIL REMOVED> > On Behalf Of Peter Bossley
Sent: 09 October 2023 00:50
To: WebAIM Discussion List < <EMAIL REMOVED> >
Subject: Re: [WebAIM] Accessible authentication and "transcription"

External email: if the sender or content looks suspicious, please click the Report Message icon, or forward it to report-phishing

Note that if the code is only valid for a short period of time e.g. 30 seconds like some TOTPs that might be too short to be a valid argument under the copy - paste theory. This is something that I've raised as something the working group should clarify.


-----Original Message-----
From: WebAIM-Forum < <EMAIL REMOVED> > On Behalf Of Patrick H. Lauke
Sent: Sunday, October 8, 2023 3:27 PM
To: <EMAIL REMOVED>
Subject: Re: [WebAIM] Accessible authentication and "transcription"


On 08/10/2023 20:19, Damon van Vessem wrote:
> Greetings,
>
> I have a question about 3.3.8 Accessible Authentication (AA),
> specifically about "transcribing" information. Let's say a user is
> trying to sign in on their laptop and a 2-factor mechanism requires
> them to use one-time code received/generated on their phone. Is this
> an acceptable solution, since it requires them to type (transcribe?) the code on their laptop?

If they can only transcribe it manually, then that fails. There is some gray area around the idea that they can potentially copy it on device, then transfer it to their machine (for instance, emailing it over, or with OS integrations that let you have a shared clipboard between devices).

P
--
Patrick H. Lauke

https://www.splintered.co.uk/ | https://github.com/patrickhlauke
https://flickr.com/photos/redux/ | https://www.deviantart.com/redux
https://mastodon.social/@patrick_h_lauke | skype: patrick_h_lauke