WCAG 2.2: Create accounts ‖ Accessible Authentication

[querkmachine]

What

Update our guidance on creating accounts to emphasise that teams should ideally avoid using CAPTCHA tools to restrict the creation of accounts or, if they do, that they must provide an alternative means of creating an account that does not use them.

We may also want to identify specific CAPTCHA tools that we have confirmed to be accessible and compliant with the Level AA criterion.

This guidance may be temporary, pending the creation of specific guidance around proving the user is a real person.

Resources

• Create accounts guidance page
• WCAG 2.2 criterion for 'Accessible Authentication (Minimum)'
• WCAG 2.2 criterion for 'Accessible Authentication (Enhanced)'

Why

The new WCAG 2.2 Level AAA criterion 'Accessible Authentication (Enhanced)' says:

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following:

Alternative Another authentication method that does not rely on a cognitive function test.

Mechanism A mechanism is available to assist the user in completing the cognitive function test.

CAPTCHA technologies are largely non-compliant with the Level AAA version of the criterion. In this situation, a team would have to provide another mechanism to limit the effectiveness of spam registrations or otherwise validate a user's personhood.

The Level AA criterion 'Accessible Authentication (Minimum)' adds two more exceptions:

Object Recognition The cognitive function test is to recognize objects.

Personal Content The cognitive function test is to identify non-text content the user provided to the Web site.

Only certain CAPTCHA technologies comply with the Level AA criterion. The behavioural and object recognition CAPTCHA that is employed by services like reCAPTCHA and hCAPTCHA would appear to be compliant, the specifics of their technical implementation notwithstanding.

CAPTCHAs that employ spacial puzzles, such as AWS WAF or Arkose MatchKey are probably not compliant.

Traditional CAPTCHAs that require a user to manually transcribe distorted text or audio are not compliant.

Who needs to work on this

• Content designer or technical writer
• Accessibility specialist (if auditing CAPTCHAs to recommend)

Who needs to review this

• Accessibility specialist
• Content designer or technical writer
• Developer (if example added)

Done when

• [ ] Decision has been made on whether to recommend specific CAPTCHAs
• [ ] An comparative audit of various CAPTCHA tools has been carried out
• [ ] Guidance has been updated

[dav-idc]

This has been added to the 'WCAG 2.2 content updates' document.

[calvin-lau-sig7]

Closing issue – content has been drafted, reviewed and added to pull request #3090 as part of https://github.com/alphagov/govuk-design-system/issues/3276.