Skip to content

Is a time-based token a security concern (timing adjustable)Β #1424

New issue
New issue
Open
Open
Is a time-based token a security concern (timing adjustable)#1424
Labels
2.2.1 Timing AdjustableWCAG 2.0
@ajanec01

Description

@ajanec01
ajanec01
opened on Sep 17, 2020

Hi

Can you please clarify what is meant by "security concerns" in the context of timing adjustable? More specifically, is there a difference between security concerns set by the content and a 2-step authentication that relies on time-based tokens?

The "Notes regarding server time limits" section in the understanding doc for 2.2.1 says:

This Success Criterion applies only to time limits that are set by the content itself. For example, if a time limit is included to address security concerns, it would be considered to have been set by the content because it is designed to be part of the presentation and interaction experience for that content.

To illustrate where I get confused imagine a scenario where after the login page, the user needs to authenticate again by providing a code that is sent to the user's mobile phone. A token is generated, and it's valid only for a few minutes. If the user doesn't enter the correct code within the time limit, then the next click on any UI component redirects the user to the login page, and the process starts again (the token expires). There is no chance to either turn off, adjust or extend the session.

As I currently understand it, the understanding doc for timing adjustable seems to say that it is a failure because the time-based token is automatically generated, and it was implemented due to security concerns. However, there is an argument to be made that it is essential because extending it would invalidate the activity.

It doesn't help that examples of this issue do not seem to be consistent. In the understanding doc for re-authentication, the example of a questionnaire does not seem to meet any of the requirements of timing adjustable and it's referring to re-authenticating. It makes me believe that there is a difference between security concerns and authentication.

Is not being able to extend, adjust, or turn off the time limit of the time-based token used for 2-step authentication failure of the timing adjustable criterion?

Clarity on this issue would be much appreciated!

Many thanks
aron

Metadata

Metadata

Assignees

No one assigned

    Labels

    2.2.1 Timing AdjustableWCAG 2.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions