w3c · alastc · Sep 21, 2021 · Sep 21, 2021 · Sep 21, 2021 · Sep 21, 2021
diff --git a/guidelines/sc/22/accessible-authentication.html b/guidelines/sc/22/accessible-authentication.html
@@ -5,7 +5,9 @@ <h4>Accessible Authentication</h4>
     <p class="conformance-level">AA</p>
 	<p class="change">New</p>
 
-    <p>For each step in an authentication process that relies on a <a>cognitive function test</a>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test, except when the cognitive function test is to recognise common objects or content the user provided to the website. </p>
-    <p class="note">Objects and content may include images, text or audio.</p>
+    <p>For each step in an authentication process that relies on a <a>cognitive function test</a>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.</p>
+    <p>Exception: When the cognitive function test is to recognize common objects or content the user provided to the website.</p>
+     <p class="note">Common objects and content for the exception may be represented by images, text, video or audio.</p>
+    <p class="note">Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.</p>
 
  </section>
diff --git a/understanding/22/accessible-authentication-no-exception.html b/understanding/22/accessible-authentication-no-exception.html
@@ -6,7 +6,7 @@
    <link rel="stylesheet" type="text/css" href="../../css/editors.css" class="remove"></link>
 </head>
 <body>
-   <h1>Understanding Accessible Authentication</h1>
+   <h1>Understanding Accessible Authentication (No Exception)</h1>
 
     <section id="status" class="advisement">
         <h2>Status</h2>
@@ -41,37 +41,31 @@ <h2>Cognitive function test definition</h2>
     </section>
 
     <section id="intent">
-        <h2>Intent of Accessible Authentication</h2>
+        <h2>Intent of Accessible Authentication (No Exception)</h2>
 
-        <p>The purpose of this success criterion is to ensure there is an accessible, easy-to-use, and secure method to log in and access content. Most web sites rely on usernames and passwords for logging in. Memorizing a username and password (or transcribing it manually) places a very high or impossible burden upon people with certain cognitive disabilities.</p>
-
-        <p>Remembering a site-specific password is a <a>cognitive function test</a>. Such tests are known to be problematic for many people with cognitive disabilities. Whether it is remembering random strings of characters, a pattern gesture to perform on a touch screen, or identifying which images include a particular object, cognitive function tests will exclude some people. When a cognitive function test is used, at least one other authentication method must be available which is not a cognitive function test.</p>
+        <p>The purpose of this success criterion is to ensure there is an accessible, easy-to-use, and secure method to log in and access content. This criterion is the same as <a href="accessible-authentication">Accessible Authentication</a> but without the exceptions for common objects and user-provided content.</p>
 
-        <p>If there is more than one step in the authentication process, such as with multi-factor authentication, all steps should comply with this success criterion. There should be a path through authentication that does not rely on cognitive function tests.</p>
-
-        <p>Being able to recover or change the email and password is an important part of authentication. If the user is authenticating with alternative information in order to recover their account, there needs to be a method that is not a cognitive function test.</p>
-
-        <p>Web sites can employ username (or email) and password inputs as an authentication method if it enables the user-agent (browsers and 3rd party password managers) to fill in the fields automatically. If the login form meets <a href="identify-input-purpose">Success Criterion 1.3.5 Input Purpose</a>, and the form controls have an appropriate accessible name in accordance with <a href="name-role-value">Success Criterion 4.1.2 Name, Role, Value</a>, the user-agent can reliably recognize the fields and automatically fill them in. However, if the user-agent is blocked from filling in the fields by a script then the page would not pass this criterion because it prevents the mechanism from working.</p>
-
-        <p>Copy and paste can be relied on to avoid transcription. Users can copy their login credentials from a local source (such as a standalone 3rd party password manager) and paste it into the username and password fields on a login form, or into a web-based command line interfaces asking for a password. Blocking people from pasting into authentication fields, or using a different format between the copied text and the input field (e.g. "Enter the 3rd, 4th, and 6th character of your password"), would force the user to transcribe information and therefore fail this criterion, unless another method is available.</p>
-
-        <p>If a <a href="https://www.w3.org/TR/turingtest/">CAPTCHA</a> is used as part of an authentication process, there must be a method that does not include a cognitive function test. If the test is based on something the website has set such as remembering or transcribing a word, or recognizing a picture the website provided, that would be a cognitive functional test. Recognizing common objects, or a picture the user has provided, would not be a cognitive function test. Some forms of object recognition may require an understanding of a particular culture. For example, taxis can appear differently in different locales. This is an issue for many people, including people with disabilities, but it is not considered an accessibility-specific issue.</p>
-
-        <p>Some CAPTCHAs and cognitive function tests used for authentication may only appear in certain situations, such as when ad blockers are present, or after repeated incorrect password entry. This criterion applies when these tests are used regardless of whether they are used every time or only triggered by specific scenarios.</p>
-
-        <p>Another factor that can contribute to cognitive load is hiding characters when typing. Although this criterion requires that users do not have to type in (transcribe) a password, there are scenarios where that is necessary such as creating a password to be saved by a password manager. Providing a feature to optionally show a password can improve the chance of success for some people with cognitive disabilities or those who have difficulties with accurately typing.</p>
+        <p>The scenarios where the two exceptions might apply are authentication mechanisms which:</p>
+        <ul>
+            <li>display a selection of images, and the user must choose which image they provided;</li>
+            <li>display a selection of items as text, and the user must choose which they had provided;</li>
+            <li>display a selection of images, and the user must choose the images which contain a common object such as a car.</li>
+        </ul> 
+
 
     </section>
     <section id="benefits">
-      <h2>Benefits of Accessible Authentication</h2>
+      <h2>Benefits of Accessible Authentication (No Exception)</h2>
 
+        <p>The benefits of this success criterion are similar to Accessible Authentication.</p>
+
       <p>People with cognitive issues relating to memory, reading (e.g. dyslexia), numbers (e.g. dyscalculia), or perception-processing limitations will be able to authenticate irrespective of the level of their cognitive abilities.</p>
 
    </section>
 
    <section id="examples">
-      <h2>Examples of Accessible Authentication</h2>
-
+      <h2>Examples of Accessible Authentication (No Exception)</h2>
+      <p>The examples of this success criterion are similar to Accessible Authentication.</p>
       <ul>
          <li>A web site uses a properly marked up username (or email) and password fields as the login authentication (meeting <a href="identify-input-purpose">Success Criterion 1.3.5 Input Purpose</a> and <a href="name-role-value">Success Criterion 4.1.2: Name, Role, Value</a>). The user's browser or integrated 3rd party password manager extension can identify the purpose of the inputs and automatically fill in the username and password.</li>
          <li>A web site does not block paste functionality. The user is able to use a 3rd party password manager to store credentials, copy them, and paste them directly into a login form.</li>
@@ -84,7 +78,7 @@ <h2>Examples of Accessible Authentication</h2>
 
 
    <section id="techniques">
-      <h2>Techniques for Accessible Authentication</h2>
+      <h2>Techniques for Accessible Authentication (No Exception)</h2>
 
 
       <section id="sufficient">
@@ -112,29 +106,17 @@ <h3>Sufficient Techniques for Accessible Authentication</h3>
       </section>
 
       <section id="advisory">
-         <h3>Additional Techniques (Advisory) for Accessible Authentication</h3>
+         <h3>Additional Techniques (Advisory) for Accessible Authentication (No Exception)</h3>
 
       </section>
 
       <section id="failure">
-         <h3>Failures for Accessible Authentication</h3>
+         <h3>Failures for Accessible Authentication (No Exception)</h3>
 
       </section>
 
    </section>
-   <section id="resources">
-        <h2>Resources</h2>
 
-        <ul>
-            <li><a href="https://rawgit.com/w3c/coga/master/issue-papers/privacy-security.html">Security and Privacy Technologies issue paper from the Cognitive Task Force</a>.</li>
-            <li><a href="https://www.w3.org/TR/webauthn/">WebAuthN specification</a>.</li>
-            <li><a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication API on MDN</a>.</li>
-            <li><a href="https://webauthn.io/">WebAuthN Demo site</a>.</li>
-            <li><a href="https://en.wikipedia.org/wiki/OAuth">OAuth on Wikipedia</a>.</li>
-            <li><a href="https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords">"Let them paste passwords", from the UK's National Cyber Security Centre</a></li>
-        </ul>
-
-    </section>
 
 </body>
 </html>
diff --git a/understanding/22/accessible-authentication.html b/understanding/22/accessible-authentication.html
@@ -20,8 +20,10 @@ <h2>Accessible Authentication Success Criteria text</h2>
             <p class="conformance-level">AA</p>
 
 
-           <p>For each step in an authentication process that relies on a <a>cognitive function test</a>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test, except when the cognitive function test is to recognise common objects or content the user provided to the website. </p>
-            <p class="note">Objects and content may include images, text or audio.</p>
+           <p>For each step in an authentication process that relies on a <a>cognitive function test</a>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.</p>
+           <p>Exception: When the cognitive function test is to recognize common objects or content the user provided to the website.</p>
+            <p class="note">Common objects and content for the exception may be represented by images, text, video or audio.</p>
+            <p class="note">Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.</p>
 
         </blockquote>
         <h2>Cognitive function test definition</h2>
@@ -59,7 +61,7 @@ <h2>Intent of Accessible Authentication</h2>
 
         <p>Copy and paste can be relied on to avoid transcription. Users can copy their login credentials from a local source (such as a standalone 3rd party password manager) and paste it into the username and password fields on a login form, or into a web-based command line interfaces asking for a password. Blocking people from pasting into authentication fields, or using a different format between the copied text and the input field (e.g. "Enter the 3rd, 4th, and 6th character of your password"), would force the user to transcribe information and therefore fail this criterion, unless another method is available.</p>
 
-        <p>If a <a href="https://www.w3.org/TR/turingtest/">CAPTCHA</a> is used as part of an authentication process, there must be a method that does not include a cognitive function test. If the test is based on something the website has set such as remembering or transcribing a word, or recognizing a picture the website provided, that would be a cognitive functional test. Recognizing common objects, or a picture the user has provided, would not be a cognitive function test. Some forms of object recognition may require an understanding of a particular culture. For example, taxis can appear differently in different locales. This is an issue for many people, including people with disabilities, but it is not considered an accessibility-specific issue.</p>
+        <p>If a <a href="https://www.w3.org/TR/turingtest/">CAPTCHA</a> is used as part of an authentication process, there must be a method that does not include a cognitive function test. If the test is based on something the website has set such as remembering or transcribing a word, or recognizing a picture the website provided, that would be a cognitive functional test. Recognizing common objects, or a picture the user has provided is a cognitive function test, however, it is excepted at the AA level. Some forms of object recognition may require an understanding of a particular culture. For example, taxis can appear differently in different locales. This is an issue for many people, including people with disabilities, but it is not considered an accessibility-specific issue.</p>
 
         <p>Some CAPTCHAs and cognitive function tests used for authentication may only appear in certain situations, such as when ad blockers are present, or after repeated incorrect password entry. This criterion applies when these tests are used regardless of whether they are used every time or only triggered by specific scenarios.</p>