|
| 1 | +<!DOCTYPE html><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> |
| 2 | + |
| 3 | + <head><title>Failure of Success Criterion 3.3.8 and 3.3.9 due to forcing transcription of individual password characters</title> |
| 4 | + |
| 5 | + <link rel="stylesheet" type="text/css" href="../../css/sources.css" class="remove"></head><body><h1>Failure of Success Criterion 3.3.8 and 3.3.9 due to forcing transcription of individual passphrase characters</h1><section class="meta"><p class="id">ID: F109</p><p class="technology">Technology: failures</p><p class="type">Type: Failure</p></section><section id="applicability"><h2>When to Use</h2> |
| 6 | + <p>All technologies that require authentication.</p> |
| 7 | + </section><section id="description"><h2>Description</h2> |
| 8 | + <p>Requiring users to authenticate by entering a password or passcode in a different format from which it was originally created is a failure to meet Success Criteria 3.3.8 and 3.3.9 (unless alternative authenticaton methods are available). If a user is required to enter individual password characters across multiple fields, in a way that prevents pasting the password in a single action, it prevents use of a password manager or pasting from local copy of the password or passcode. This means users cannot avoid transcription, resulting in a <a href="../../understanding/22/accessible-authentication.html#dfn-cognitive-function-test">cognitive function test</a>. This applies irrespective of whether users are required to enter all characters in the string, or just a subset.</p> |
| 9 | + |
| 10 | + |
| 11 | + </section><section id="examples"><h2>Examples</h2> |
| 12 | + <p>These examples would prevent a user from entering a password in the same format in which the password was originally created:</p> |
| 13 | + <ul> |
| 14 | + <li>A fieldset that prompts a user to "Enter the 2nd, 6th and last characters of your password", with separate input fields for each character.</li> |
| 15 | + <li>A fieldset that prompts a user to enter each digit of a passcode in a separate input (unless the user can paste the entire passcode in the first input, and the remaining inputs are populated automatically).</li> |
| 16 | + <li>A password input fieldset composed of <code class="el"><select></code> elements that requires a user to select each character of a fixed-length password from individual dropdown fields.</li> |
| 17 | + </ul> |
| 18 | + </section> |
| 19 | + |
| 20 | + <section id="tests"><h2>Tests</h2> |
| 21 | + <section class="procedure"><h3>Procedure</h3> |
| 22 | + <ol> |
| 23 | + <li>Check if the structure of the input field(s) prevents the user from pasting or auto-filling the entire password or passcode in the format in which it was originally created.</li> |
| 24 | + <li>Confirm that no other acceptable authentication methods are present that satisfy Success Criteria 3.3.8 or 3.3.9 (such as an authentication method that does not rely on a cognitive function test).</li> |
| 25 | + </ol> |
| 26 | + </section> |
| 27 | + <section class="results"><h3>Expected Results</h3> |
| 28 | + <ul> |
| 29 | + <li>If steps #1 and #2 are true, then this failure condition applies and content fails the Success Criterion.</li> |
| 30 | + </ul> |
| 31 | + </section> |
| 32 | + </section><section id="related"><h2>Related Techniques</h2></section> |
| 33 | + <section id="resources"><h2>Resources</h2></section></body></html> |
0 commit comments