patrickhlauke
commented
1 year ago If I had to pick between the two I think the "WCAG is not about how the OTP gets into the clipboard" reading of this seems the more defensible to me.
Agree - I quite like this approach, as it cleanly demarcates where our concern starts/ends. If a client then wants to start arguing "oh, they CAN get it to their clipboard, all they have to do is... [insert super convoluted steps to go from one device to another]" then they can defend that themselves in court when it comes to it.
That does contradict some of the wording in the current understanding document.
happy to make a strawman PR for this to work on if the above direction is where we want to go.
rachaelbradley
There seems to be an open question when it comes to one-time codes (OTCs) and copying between systems to authenticate. If for example I receive an OTC via text message, I could copy it to authenticate if 1. I'm authenticating on my phone, or 2. I have my devices linked such that I have a shared clipboard.
The SC doesn't provide guidance on how to decide when copying OTPs is allowed. If we take a strict reading you could argue that it's never allowed, because you can't know for sure that copying is possible. That doesn't seem right, as it basically prohibits OTPs altogether. A more generous reading would be that WCAG is about web content alone. How the OTP gets into the clipboard is out of scope and the only thing that matters for WCAG 2.2 conformance is that pasting isn't prevented by the page itself.
I'm not keen on either of these, and would hope there's some kind of middle ground I'm not thinking of. If I had to pick between the two I think the "WCAG is not about how the OTP gets into the clipboard" reading of this seems the more defensible to me. That does contradict some of the wording in the current understanding document. If we can't provide clearer guidance I think we should think of that more as advisory work, rather than required by the SC.