New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WCAG 2.2 3.3.7: Accessible Authentication - disambiguate "paste" and "password managers" #1898
Conversation
Password managers (both built-in, and 3rd party extensions integrated into the browser) do not rely on "paste" functionality - they populate form fields directly in the DOM / inject the value into forms. See the results from https://codepen.io/patrickhlauke/full/jOBepRE - make the points separately about using properly marked-up 1.3.5 compliant form fields (nothing to do with paste). removed the mention of 1.3.1 inforel, as this seems unrelated (and more to the point, if we're saying password managers rely on the accessible name of an input, then it's not 1.3.1 but 4.1.2 that counts). added reference to 4.1.2 instead. - tweak the copy/paste paragraph to be purely about ability/inability to copy from a third-party password manager and to then paste it into the form/webpage. - add an expansion (with example) about the "different format between copied and pasted text" - a classic one, loved by banks, that ask you to enter specific digits/characters from a much longer password (which then requires manual transcription) - add an example of accessible authentication about the copy/paste in isolation
I note that in one of the previous discussions, there was a mention of "copy/paste is fine, but not if it has additional restrictions like some time limit ... e.g. 'we emailed you, but the password is only valid for like 10 seconds'". this aspect doesn't seem to be present in the final understanding now. this is also a common thing with one-time-password solutions (where a user can copy the OTP but has a limited amount of time to paste it into a page). so is this still a valid/ok way to go? |
Rachael's and Pat's comments
As this came up in a discussion with somebody again today, I just want to be absolutely crystal: with this change, which has now been merged, the absolute minimum requirement to pass this SC is "don't stop paste operations into login fields". no other requirement, not even requirement to "properly" mark up / identify input purpose (though of course that would still fail the separate SC 1.3.5). |
requires manual transcription)
This now more explicitly allows copy/paste-ability as a way to pass this criterion. This seems in line with the intent of https://github.com/w3c/wcag/pull/1419/files at the time? This also seems to tally with the result of the lengthy discussion in #1359 ?
(to be clear, the end result is basically: in general, as long as a page doesn't block pasting into the login fields - no other requirements beyond not requiring some "only enter the 3rd, 4th, etc" - it passes. this seems the end result of all the discussions above?)
Closes #1855