SC 1.3.5: Identify Input Purpose and Multi-factor authentication (MFA).

[sarasuri]

Hello,

We tested a form that requests the user’s email address and phone number for adding a method for multi-factor authentication (MFA). During the testing, we noticed that the form fields were missing the "autocomplete" attributes and we raised it as failure for WCAG SC 1.3.5 Identify Input Purpose. However, the development team is concerned that adding the "autocomplete" attributes might compromise the security of the MFA process. They argue that MFA requires users to manually enter their information when adding an authentication method, and they are hesitant to include the "autocomplete" attributes due to potential security risks.

Given this context, we are seeking clarification on whether this scenario could be considered as an exception to SC 1.3.5. We have reviewed the understanding document for this success criterion and did not find any specific exceptions that would apply to this situation. Any feedback on this would be helpful and appreciated.

Thank you

[JulietteZenyth]

I would not consider this an exception. In fact, if you look at the new Accessible Authentication [https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum] Success Criteria's understanding document, it addresses this explicitly:

"Two-factor authentication systems (verification codes) Beyond usernames and passwords, some sites may use two-factor authentication, asking the user to enter a verification code (also called a passcode or one-time password). A service that requires manual transcription of a verification code is not compliant. As with usernames and passwords, it must be possible for a user to at least paste the code (such as from a standalone third-party password manager, text message application, or software-based security key), or to allow user agents to fill in the fields automatically."

The intent is clearly NOT to require people to manually enter information.

Hope this helps you push back on the development team's resistance to implementing autocomplete.

[Edited to remove contact info]

[sarasuri]

@JulietteZenyth thank you for your feedback. The form is more for selecting an authentication method for MFA. Here is a screenshot of a sample form. The development team is pushing back on adding the "autocomplete" attribute for the "Telephone number" or "Email address" field that collects user's information. In the context of MFA, can this be considered as an exception for SC 1.3.5?

[JulietteZenyth]

Hi @Sarasuri,

If the field is asking for information about the person filling our the form (the user), and the data to be entered matches on of the values listed in WCAG 2.1 7. Section 7: Input Purposes for User Interface Components [https://www.w3.org/TR/WCAG/#input-purposes], there are no exceptions, even for 'security' concerns.

[Edited to remove contact information]

[mbgower]

Draft Working Group Response First, there is no security exception listed in Identify Input Purpose, and so no ability to pass the criterion by citing such a security need.

Second, your example does not seem to provide reasonable grounds for considering modifications to the normative text. If a user goes to a page where they are prompted for their email and phone number as part of a multifactor authentication (MFA) process, in what way is it a security issue if their previously entered email and phone number are autofilled in these inputs?

[mbgower]

I'll mention that the primary requirement to use the HTML autocomplete attributes is to provide programmatic information about the purpose of the input. Even in the event where the author did not want these values autopopulated, it may be possible to override the autopopulation on the entire form (<form autocomplete="off">) while still providing the attribute at the input level (to assist with assistive technology). I haven't investigated this, but just mention it as a possible consideration.

[bruce-usab]

@sarasuri and @JulietteZenyth -- I took the liberty to trim off some of the email cruft from your posts. There is still a phone number in clear text.

[gundulaniemann]

If a public computer is properly set up, it will delete all temporary data including browser cache when one user logs out and before the next user logs in.

[bruce-usab]

@sarasuri -- if you are satisfied with the responses you have been provided, pleased be encouraged to close this issue.