[WCAG 2.2 Draft Feedback] Success Criterion 3.3.8 Accessible Authentication (Level AAA)

[dshoukry]

“Success Criterion 3.3.8 Accessible Authentication (No Exception) (Level AAA): - A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following:

• Alternative Another authentication method that does not rely on a cognitive function test.
• Mechanism A mechanism is available to assist the user in completing the cognitive function test.”

Recommendation:
Most of our comments/proposals are requests to: add a few notes and clarifications about alternatives, mechanisms to complete cognitive function tests, and acceptable exceptions for universally known concepts.

Please find detailed specifics covered in our Sep22 3.3.8 Accessible Authentication (AAA) Google Doc

[bruce-usab]

@dshoukry this is probably not fair, but I find editorial suggestions so much easier to hash out as GitHub issues and pull requests. It might just be me, but I a loath to introduce an addition technology stack (docs/comments) into the work flow.

We have been using Google docs to good effect for a great deal of AGWG work, but I am not personally ready to mix things up for the WCAG 2.2 TR.

[alastc]

@dshoukry - The link to the doc is for the AA version of the SC, could you update that to the AAA version please?
Unless it is intended to be for the AA version, and the issue is mis-named?

[dshoukry]

@bruce-usab totally fair and will keep this in mind going forward! (as @alastc mentioned in #2709 we agreed on Google Docs for previous rounds)

@alastc sorry about that! just replaced with the AAA link.

[alastc]

Response for the group to consider:

---

This response focuses on the comments not included in #2707

I agree that the understanding document needs some updating, I've used the feedback to re-structure the top section so that it is more clear that the exceptions are things that are allowed at AA, but not under this AAA version. That is in #2811

A car seems like something that has a lot of variations to be used as a common knowledge.
We are concerned that the original language is not helpful enough and could be interpreted as any kind of image is okay (therefore really not being any different than the current understanding of what is acceptable in a captcha). This suggested rewrite hopefully addresses this concern. If that is not acceptable, we would suggest removing the third bullet entirely.

We've had extended discussion about what would constitute a "common object" (e.g. #1902, and #1256 for context). The result was that we would split the SC into the AA and AAA version, with the AA version providing an exception.

The rational was that:

• Some companies (e.g. Google, Cloudflare) use image object recognition based captchas to prevent abuse of their systems, including during authentication processes. It is unlikely they would just remove these, whatever the accessibility implications.
• These types are probably less difficult to do than the warped-text based ones which require text recognition and transcription.
• Using non-common objects is going to fail for many people, regardless of ability/disability. There is an incentive from a general usability point of view to include objects which people can recognise.

So we agree there are issues with these systems, but defining a 'common object' in terms of what impact that has on accessibility is hugely complex, so the straightforward solution is to just say "objects".

[alastc]

The response above was approved by the group:
https://www.w3.org/2023/02/07-ag-minutes#item08

[dshoukry]

(No response required, just sharing as FYI)

A car seems like something that has a lot of variations to be used as a common knowledge.
We are concerned that the original language is not helpful enough and could be interpreted as any kind of image is okay (therefore really not being any different than the current understanding of what is acceptable in a captcha). This suggested rewrite hopefully addresses this concern. If that is not acceptable, we would suggest removing the third bullet entirely.

We've had extended discussion about what would constitute a "common object" (e.g. #1902, and #1256 for context). The result was that we would split the SC into the AA and AAA version, with the AA version providing an exception.

The rational was that:

• Some companies (e.g. Google, Cloudflare) use image object recognition based captchas to prevent abuse of their systems, including during authentication processes. It is unlikely they would just remove these, whatever the accessibility implications.

Towards the end of last year we launched some updates, reCAPTCHA v3 (developer guide), and an invisible reCAPTCHA v2 (developer guide). We are indeed trying to remove image objection recognition based captchas and move to frictionless models. We are trying to increase adoption as fast as possible, and hopefully we will be able to update this SC by WCAG 3 :-).