Accessible Authentication - one-time-passcodes and the test for when an activity requires 'transcription'

[camusamta]

Working through Accessible Authentication, as an auditor I see the possibility for the question of 'cross-device copying' raised by clients who don't want to overhaul their current 2FA practices:

• a time-sensitive one-time password generated by an authenticator app can be copied and emailed or air-dropped across devices, but it is highly unreasonable to expect someone to do so within the standard limit of 30 seconds to 1 minute, and so the likelihood of transcription here is so high that I can confidently say this method requires transcription for most who would try it
• however, what about a code sent via text that has, say, a 15 or even 30 minute window of viability? I can say there is some relative likelihood of transcription occurring there, and so is that the bar? That if there is a necessary time limit (for example), then it's forseeable that transcription could be a required option for someone?

I notice in the Understanding section for Accessible Authentication that copying and pasting such that it mitigates transcription is only referenced in the context of the action being performed locally:

Copy and paste can be relied on to avoid transcription. Users can copy their login credentials from a local source...

Is the implicit intention that the value of the field requiring input, if it is being pasted, must also be sourced from the same device, so as to significantly reduce the likelihood of transcription due to cross-device complexity (which includes things like mandatory time-limits and the general some-user-unfriendliness of this approach)?

I'm just wondering how this argument might be countered (providing others also belive it to be viable/I'm not misreading the success criteria).

Edit: some further hunting has found a similar discussion resolved here: #1359, however, I wonder if clarity around both this and the second example above (around copying and pasting between multiple devices with constraints of ambiguous impact) might be beneficial if made more explicit in the SC?

[patrickhlauke]

Is the implicit intention that the value of the field requiring input, if it is being pasted, must also be sourced from the same device

To my understanding, yes, as you can't copy/paste across devices? So the source where you're copying from must be on the same device where you then want to paste. (though, to be clear, "source" here would mean that the value can be copied locally ... whether the actual location of where the value "lives" is in a local vault or in the cloud and accessed through a local client like 1Password or similar, makes no practical difference)

so as to significantly reduce the likelihood of transcription due to cross-device complexity (which includes things like mandatory time-limits and the general some-user-unfriendliness of this approach)?

not sure I follow this part (unless this is answered by my previous part of the answer about it being irrelevant if it's actual local vault physically on the current device, or a cloud/remote storage that is accessed through a local client)

[patrickhlauke]

in the specific context of OTP codes, it's basically "you must be able to copy the code, and then paste it, on the same device" (the client that shows/generates the OTP code must be on the same device) as anything else involves manual transcription (looking at one device, typing it into the other device), unless I'm missing something

[camusamta]

Really appreciate the clarification, thank-you. I think my question boiled down to an interpretation of 'copy and paste'. Yours is very clear, which is that the action of copying and pasting can only refer to something which happens within a single device, which makes perfect sense. What I was imagining was a reading of the criteria as saying that 'copy and paste actions must be possible to complete the authentication process', which is a (mis)reading which can lead people to think that, say, an SMS code that expires in 30 minutes could be copied on a mobile phone, emailed to a desktop email account, copied again on desktop, and pasted into the webform on desktop.

[patrickhlauke]

Note that the above is my understanding. Worth seeing if other WG members have differing views. Have to admit your (rather convoluted, admittedly) scenario of copy/pasting/emailing didn't even cross my mind.

[alastc]

To my understanding, yes, as you can't copy/paste across devices?

You can copy paste across some devices. For example, I can copy a one-time-code by tapping that code on my iPhone, and paste that in on my laptop immediately with a simple cmd-v.

However, that requires a particular setup with aligned accounts on the devices. Unless you have a very locked down environment (e.g. intranet where everyone has access to this) it couldn't be considered accessibility supported.

Emailing / texting security information with a long life span seems... insecure?

Do we need to cover something that wouldn't pass security muster?

[camusamta]

Do we need to cover something that wouldn't pass security muster?

I don't think so. Having a quick look through my phone, the longest time-limit afforded a one-time code is 15 minutes. Having spent a bit of time with this now, what I was looking for in the SC I think can be boiled down to 'making it explicit that copying and pasting refers to an action that entirely takes place within a single device'.

This is because to state that 'copying and pasting' is a sufficient remedy may have some assuming that an upper time-limit like 15 minutes on a one-time code is a timeframe in which someone can perform a convoluted copy-and-email, receive-and-copy-and-paste across multiple devices.

In short, to ward off the following hypothetical sentiment: "15 minutes is enough time to figure out a way of getting that information across devices, thus avoiding transcription"

[alastc]

The update was approved, but noting that @WilcoFiers was going to open a more specific issue that came out of this.