w3c / wcag

Web Content Accessibility Guidelines
https://w3c.github.io/wcag/guidelines/22/
Other
1.14k stars 256 forks source link

Clarify CAPTCHA content scope, within 'accessible authentication (minimum)' understanding doc #3320

Open dav-idc opened 1 year ago

dav-idc commented 1 year ago

Summary

This issue is to recommend that clarifying content be added to the 'Object Recognition' section of the 'Accessible Authentication (minimum)' Understanding document.

The clarifying content would state the scope of when the advice within the object recognition section would apply to CAPTCHAs.

Context on the current gap in guidance

Right now, there is no solid definition provided for 'authentication process' for 'Accessible Authentication', for both the 'minimum' and 'enhanced' success criteria. This lack of definition is covered by another GitHub issue:

With or without a definition though, it can get a bit muddy on where the line is drawn for when CAPTCHA-related advice should be followed. What CAPTCHAs should be accessible? All? Or just the ones involved in logins?

Outside of explicit sign-in and re-sign-in spaces for authentication, CAPTCHA are often employed to 'authenticate' the validity of a user. Examples of CAPTCHA use outside of sign-in spaces:

Here's a couple relevant excerpts from the 'Object Recognition' section of the 'Accessible Authentication (minimum)' Understanding document:

Object Recognition

If a CAPTCHA is used as part of an authentication process, there must be a method that does not include a cognitive function test, unless it meets the exception. If the test is based on something the website has set such as remembering or transcribing a word, or recognizing a picture the website provided, that would be a cognitive functional test. Recognizing objects, or a picture the user has provided is a cognitive function test; however, it is excepted at the AA level.

Some CAPTCHAs and cognitive function tests used for authentication may only appear in certain situations, such as when ad blockers are present, or after repeated incorrect password entry. This criterion applies when these tests are used regardless of whether they are used every time or only triggered by specific scenarios.

My recommendation

I would recommend taking action to improve the clarity of the 'object recognition' content, especially as it pertains to CAPTCHAs.

Leaving the current CAPTCHA content in the 'understanding' document as is would risk inconsistent interpretation of which CAPTCHAs need to follow the success criteria and which don't. That seems messy, to me. Especially when it could be clarified with some additional content.

However, there are a few options for how to address this lack of clarity via content, and I'm less certain on which approach is best. I've outlined 3 options in the next section.

Options for improved guidance

There are a few paths forward I see, for increasing clarity around CAPTCHA requirements and scope. Each option has pros and cons, some of which I've brainstormed here.

Option 1: rigid definition-based scope

Define 'authentication process' explicitly in the glossary, and then scope the 'Object recognition' section to only apply to CAPTCHA used in 'authentication processes'.

Pros:

Cons:

Option 2: broader-scoped applicability of 'object recognition' advice

Regardless of the definition of 'authentication process' scope the 'object recognition' section could be stated to apply more generally to CAPTCHAs, and not be limited to login journeys.

Pros:

Cons:

Option 3: optional 'also applicable to X' advice

Instead of going for the two more decisive options above, a softer approach might be to add content to the 'object recognition' section that serves as more of a 'bonus idea', rather than a requirement of the success criterion.

Something like, "Beyond accessible authentication, these guidelines for CAPTCHA are beneficial in all scenarios when CAPTCHA are used. The use of cognitive function tests in CAPTCHA is consistently a barrier for many people with cognitive disabilities, regardless of the process where the CAPTCHA appears." (And then maybe something about the different types of scenarios where CAPTCHA is employed beyond logins).

Pros:

Cons:

bruce-usab commented 1 year ago

@davidc-gds adding a glossary term is not feasible for 2.2.

Working within that constraint, could you propose what you would like to see added or changed in [Understanding[(https://w3c.github.io/wcag/understanding/accessible-authentication-minimum.html)?

alastc commented 1 year ago

What CAPTCHAs should be accessible? All? Or just the ones involved in logins?

Well, all CAPTCHAs should be accessible (or have an accessible alternative), but remember that Accessible Authentication isn't the only applicable SC. Non-text content, contrast, and others are probably applicable.

The examples in the bullets wouldn't be applicable to this SC, but other SCs would apply, particularly as they are unlikely to offer an alternative method of completing that task.

the 'object recognition' section could be stated to apply more generally to CAPTCHAs, and not be limited to login journeys.

That's not a direction we could take for this SC. It was specifically scoped to authentication because that was the focus of the user-need, and we couldn't get consensus on a wider application. (E.g. the companies/stakeholders protecting content from bots/abuse with CAPTCHAs wouldn't have agreed to a wider application.)

Also, objection recognition is only one type of CAPTCHA, other types (e.g. letter recognition) do not have an exception in this SC.

a softer approach might be to add content to the 'object recognition' section that serves as more of a 'bonus idea', rather than a requirement of the success criterion.

We already have similar content in 1.1.1, and there is a separate, dedicated document on CAPTCHAs linked from the first sentence of this object recognition guidance.

I think we're already heading towards your option 1, where it is tightly scoped.