[WCAG 2.2 Draft Feedback] Success Criterion 3.3.7 Accessible Authentication

[dshoukry]

"Success Criterion 3.3.7 Accessible Authentication (Level A): For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test. Note: Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address transcription cognitive function test."

We appreciate that much of our feedback was accepted here in the first round. Most of our new comments/proposals are requests to: clarify whether remembering your own username is a cognitive function test, clarify a few questions we had around cognitive function tests and CAPTCHAs, more explicitly define a few terms, and we also had a UX writer provide a general writing/grammar suggestions.

Please find detailed specifics covered in our 3.3.7 Accessible Authentication (Level A) Google Doc.

[alastc]

Hi @dshoukry,

Thanks for all the editorial suggestions, that looks straightforward to incorporate.

In the CAPTCHA section, I think the key differentiator (that may need clarifying) is whether the author/website sets the image/word, or whether the user does. The idea was that if the user sets an image to recognise, that would not be in scope of the cog-fun-test. However, if it is external to the user (from the author/site), that would be a cog-fun-test.

The difference between "recognizing a picture the website provided" and "Recognizing common objects" is that for the first, the website provided a picture (e.g. of a banana), then when you login next time it shows multiple images, and you have to remember the one it showed before.

I'm not sure if that example has been used for logins, but it was trying to demonstrate the principle.

Also, was it clear that the (culturally specific) taxi example was being discouraged, but not considered in scope of the SC?

There are a couple of other things to address, I've labelled as "COGA" to get more eyes on it.

[mraccess77]

"The difference between "recognizing a picture the website provided" and "Recognizing common objects" is that for the first, the website provided a picture (e.g. of a banana), then when you login next time it shows multiple images, and you have to remember the one it showed before."

I have seen this for auth/login but I was able to choose a picture from several choices when I set it up and I believe the purpose of the picture was more to give confidence to the user that it was a legit login form type thing. An investing company used this approach. I think it was along the lines of enter username then next step show picture and password field so you can be confident that you are on real system as you recognize that picture you choose from a sample of pictures when you signed up with the account. So in this case not required but still a test for confidence.

[alastc]

Approved response (updated 12th Nov 2021):

---

clarify whether remembering your own username is a cognitive function test

That is covered in the definition of Cognitive Function Test:

"memorization, such as remembering a username, password, set of characters..."

For the section on CAPTCHA which says: "If the test is based on something the website has set such as remembering or transcribing a word, or recognizing a picture the website provided, that would be a cognitive functional test. Recognizing common objects, or a picture the user has provided, would not be a cognitive functional test."

Since we started this response, the SC has been split into two, one which includes a specific exception for "recogniz[ing] common objects or content the user provided to the website", and a AAA version without that exception.

You asked:

Does this [word] only refer to vocabulary words, or are transcribing random letters/numbers or an arithmetic problem also in scope?

That was intended to mean both. It could be remembering a word, transcribing a word, or random letters / numbers. The second paragraph of the intent includes that aspect, this paragraph is specifically about CAPTCHAs, so it's just an example of the overall principle.

Is this [recognising a picture] referring to identifying a specific object (e.g. select all images that contain a bike)? It may help to use different wording in this example given similar wording in the next sentence.

It is intended to mean a scenario where the site shows an image in one visit, or a previous step in a process, and then requires the user to remember that picture.

Can the group please define what a common object is, and/or provide a list of objects other than taxis that do not require understanding of a particular culture or locales?

Where a document uses the dictionary meaning of a term (e.g. common: "occurring, found, or done often; prevalent."), we would not provide a definition. Given that the text specifically says that the cultural aspect is out of our (accessibility) scope, we do not think it is necessary to provide a list of objects which do or don't require cultural understanding.

Is it a cognitive functional test when a user selects a security image from a pre-defined set that the author provides?

Yes, as author provided means the same as "website provided" which is used in the previous sentence. That is the differentiation: If the website provides something you have to remember, that is a cog-fun-test. If the user provides an image for the website to show next time, that is coming from the user therefore not a test.

To try and clarify those aspects so others do not have the same questions, how about:

"If the test is based on something the website has set such as remembering a word, transcribing characters or numbers, or remembering a picture the website provided in a previous session, that would be a cognitive functional test. Recognizing common objects, or a picture the user has provided in a previous session, would not be a cognitive functional test."

This is also being discussed in #1902

We had requested for [perception-processing limitations] examples to be provided here in the FPWD. Is COGA still working on that or may we provide a friendly ping? Thanks!

Rain responded from COGA in the next comment, but given that there isn't a simple 1:1 example, it doesn't appear to be helpful to add a lot of words just for this.

Revisiting a comment from our first round of feedback - since COGA didn't require that passwords be visually hidden with asterisks/bullet points, can it be added as a suggestion?

Visually showing (or not) the password is a different requirement, there is a proposed addition to cover that, but it won't be added as a requirement to this SC.

[rainbreaw]

Responding to the part that needed COGA feedback, knowing that the rest of the above is being handled in other issues:

People with cognitive issues relating to memory, reading (e.g. dyslexia), numbers (e.g. dyscalculia), or perception-processing limitations will be able to authenticate irrespective of the level of their cognitive abilities.

Perception-processing limitations is hard to assign to a specific diagnosis as this is something that can be experienced across many cognitive disabilities, including visual or auditory processing disorders, autism, aphasia, different learning or developmental disabilities.

If we need to further define this, then maybe we should re-word the language. Here is a recommendation:

People with cognitive challenges relating to memory, reading (e.g. dyslexia), numbers (e.g. dyscalculia), or perception (such as visual or auditory processing disabilities or related to a variety of cognitive differences) will be able to authenticate irrespective of the level of their cognitive abilities.

[philljenkins]

I believe the thread in #1940 has missed my original intent.

Things like transcription errors, cognitive load, etc all rely on a before and after or two things to compare (or transcribe) - meaning that the user has to know (remember) what was typed (or paste in for them, or submitted for them) and compare it to what should have been typed (pasted, etc.). If the login relies only on the users ability to "compare" it by memory it is by definiton relying on a complex cognitive function. This "compare" cognitive function is before and different than the function test to "remember". To be able to "compare", the user has to be able to see (becasue they can't remember or have a separate way to determine it) what was typed (pasted, etc.) with what should have been. If at first the app doesn't supply both, then the cognitive compare test is blocked (prohibited) and fails the SC. And then secondarily, without them being both diplayed, the users has to do a second cognitive test to compare the "supposed password" to what they may or may not remember to have typed in correctly (pasted in correctly, etc.). In others words, there are two sequential cognitive tests, and without both passwords being displayed, is impossile to complete the 1st "compare" test without the ability to "remember" (another cognitive test) the two things when only one is visible.

Again, data shows that users with TBI, aging, and other cognitive disabilities are failing the ability to authenticate and/or set-up authetication with the apps inability to show both things that need to be compared.

So it may well be a new requirement, a new SC, that will fail if the password field doesn't include an option to see it (forcing the user to have to remember) what was typed in (or pasted it, or submitted for them, etc.).

[alastc]

@dshoukry Given Rain's response above, do you think it is helpful to add text to that section? It seems to be unnecessarily wordy.

@philljenkins you can re-open #1912 if you wish to continue the conversation about a requirement for showing passwords, but it would go to a future set of guidelines, not WCAG 2.2.

Note to self: Need to update the response based on the updates to do with objects.

[alastc]

The group approved the response above: https://www.w3.org/2021/12/03-ag-minutes.html#t10