[WCAG 2.2 Draft Feedback] Success Criterion 3.3.7 Accessible Authentication (Level AA) #2707
Comments
fstrr
added
WCAG 2.2
3.3.7 Accessible Authentication
|
Suggested response for the group to consider: Some responses to the comments (including the comments from the doc for context): There was a suggestion to add this into the SC text:
We would not call-out a specific technology in SC language (it is one of the requirements), or use an example in the SC text. I've created PR #2811 and included the suggested biometric example in the note underneath.
The reason the object recognition exception is included is for companies like Google that sometimes, due to suspected abuse, will include a CATPCHA during the authentication process. I agree that it is not authentication per-se, but we've found these are included during the process. For example, if there are too many hits from a particular IP address a CAPTCHA may be added to the page. (Personally I'd be very happy to remove that exception, but I don't think we'd get it through.) There was a suggestion to add this to the Personal Content exception:
This is potential content for the understanding document, rather than the SC text. I've added a short section in the understanding document to make clear what it is, and your concern about security. There was a suggested note:
This is good information, but is it needed? The preceding paragraph says: "using a different format between the copied text and the input field (for example, "Enter the 3rd, 4th, and 6th character of your password"), would force the user to transcribe information and therefore fail this criterion". It seems to be extending the document to include more about something we say fails the criterion. There was also a suggested note:
The proceeding paragraph is a 'best practice', rather than something we can say passes (or fails) the SC. It is tangential. Therefore I'm reluctant to add more about that. In the PR I've updated the current paragraph to say "Providing a feature to toggle the visibility of password", hopefully that helps. Sidenote: We are not supposed to use must/should/may language in the understanding documents, apparently people have read that as adding requirements to the SC. |
Thank you!
We agree that CAPTCHAS and other object recognition tests are indeed sometimes used to gather additional risk signals during authentication flows, and it's important to point out that they're compatible with Level AA accessibility guidelines. They can't be used by themselves, however, to authenticate users. Could we perhaps add the following to the bullet point 'Object Recognition: The cognitive function test is to recognize objects.' in section 3.3.7: "Object Recognition: The cognitive function test is to recognize objects. Note that this test is useful for mitigating certain automated attacks, but it can't be used by itself to authenticate individual users. If used during authentication, it needs to be combined with one or more other authentication steps, which must meet the requirements described here."
Thank you!
Yes, thank you!
Noted :-) |
|
HI @dshoukry, On the remaining point:
In the SC text, we aren't concerned about why such a thing pops up (authentication or not), it is whether it is part of the authentication process or not. Without the exception, any cogntive-function test required for completing authentication is in scope. The exception allows for some types of CFT. The suggestion is too specific for the SC text, but in the understanding document we already have: I think that's covering the same area? |
|
The responses above were approved by the group: So closing this issue. If you have any further comments (e.g. on the last point above), please comment here and we can look at updating the understanding doc. |
|
Thank you! We agree with the following text: "Some CAPTCHAs and cognitive function tests used for authentication may only appear in certain situations, such as when ad blockers are present, or after repeated incorrect password entry. This criterion applies when these tests are used regardless of whether they are used every time or only triggered by specific scenarios." We have some concerns with an implementer reading the following: "A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step [is] Object Recognition [or one of the other exceptions]". We're concerned that an implementer might interpret "one way to implement an authentication process compatible with WCAG is to use CAPTCHA, and only CAPTCHA". That would be an authentication process that is compatible with WCAG, but it would be one that is somewhat insecure. How should we (or should we at all) address this issue? Should we include language that guides implementers away from insecure implementations (without sacrificing any of the WCAG guidelines, of course)? Or is the scope purely focused on accessibility guidelines, and assume that implementers have some other way to educate themselves about security? If the answer to the last question is "yes", then we agree the text as written is okay. But if we want to give some guidance on how to navigate accessibility and security, then we still believe some language to that effect (i.e., that CAPTCHAs alone cannot be used to authenticate users) should be included. |
Accessible Authentication (AA)
“Success Criterion 3.3.7 Accessible Authentication - A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following:
Recommendation:
Most of our comments/proposals are requests to: remove general object recognition due to security concerns, provide more risk mitigation tactics, and to explicitly clarify two definitions and examples.
Please find detailed specifics covered in our Sep22 3.3.7 Accessible Authentication (AA) Google Doc
The text was updated successfully, but these errors were encountered: