And/or in SC2.2.7 Accessible Authentication

[guyhickling]

I see a small problem in ​the wording of SC2.2.7 (as shown in the 16 Aug 2017 draft):

Essential steps of an authentication process, which rely upon recalling or transcribing information, have one of the following:

• alternative essential steps, which do not rely upon recalling and transcribing information; or
• an authentication-credentials reset process, which does not rely upon recalling and transcribing information

In the first line it says "recalling or transcribing", but in the two bullet points it replaces that "or" by "and".​ It should be "or" in all three cases.

The effect of saying "recalling and transcribing" in the bullet points is that anything that does not require BOTH recalling AND transcribing will be allowed.

For example a website could have a test requiring transcribing digits as the first alternative. It could then provide a second test of exactly the same kind but with different digits, as the alternative test. It would require transcribing, but not recalling, so doesn't get caught by "recalling and transcribing" of the first bullet point.

[DavidMacDonald]

Proposed response:

Thanks for your comment, yes, that is a typo. It should be OR and not AND in the Two Bullet Points, we have made the change. Thank you.