RE: Accessible Authentication from Karen Lewellen on 2023-11-14 (w3c-wai-ig@w3.org from October to December 2023)

From: Karen Lewellen <klewellen@shellworld.net>
Date: Tue, 14 Nov 2023 16:12:40 -0500 (EST)
To: Kevin Prince <kevin.prince@fostermoore.com>
cc: Steve Green <steve.green@testpartners.co.uk>, "w3c-wai-ig@w3.org" <w3c-wai-ig@w3.org>
Message-ID: <Pine.LNX.4.64.2311141608550.3411794@users.shellworld.net>
Actually, that raises a different unique question.
How much energy is spent being sure the individual  who must apply these 
documents knows how that should be done?
After all, I have heard more than once that some find the guidelines 
overwhelming, hard to understand, confusing, challenging to apply to their 
real situation etc.
If you  as insiders are needing to discuss where the meaning of  things 
can be best understood, and some authorities do what Kevin shares here..is 
not that a problem for the end user just wanting access?
Kare



On Tue, 14 Nov 2023, Kevin Prince wrote:

> That's an interesting definition of the Understanding documents which are declared as not normative in the guidelines.  (and we are required by one of our authorities to ONLY apply the normative F:xy failures in the checkpoint). If they are seen as being overriding then needs to be clear: and they need to be more comprehensive than they are.
>
> Thanks Steve.
>
> Kevin
>
> From: Steve Green <steve.green@testpartners.co.uk>
> Sent: Wednesday, November 15, 2023 9:38 AM
> To: Kevin Prince <kevin.prince@fostermoore.com>; w3c-wai-ig@w3.org
> Subject: RE: Accessible Authentication
>
> I agree that that's how it should work, but in a recent discussion regarding the Parsing success criterion (for which the Understanding page invents constraints that are not mentioned in the normative text) I was informed by an authoritative source that the Understanding document does indeed override the normative text. Or to be more precise, it explains how the normative text must be applied.
>
> No one is saying that login isn't an authentication process. It's the opposite - we are saying that there are authentication processes that do not relate to login. The Understanding page specifically excludes these, while the normative text does not. And for clarity, we are not talking about CAPTCHAs - they are not relevant to this discussion.
>
> The really strange thing is that the Understanding page doesn't just make one reference to login pages. Every note, example and technique refers to them. In fact, the Understanding page doesn't even mention any other use of authentication. That's why it's so bizarre that the normative text doesn't mention any limitation to login pages or anything else.
>
> Steve
>
>
> From: Kevin Prince <kevin.prince@fostermoore.com<mailto:kevin.prince@fostermoore.com>>
> Sent: Tuesday, November 14, 2023 8:19 PM
> To: Steve Green <steve.green@testpartners.co.uk<mailto:steve.green@testpartners.co.uk>>; w3c-wai-ig@w3.org<mailto:w3c-wai-ig@w3.org>
> Subject: RE: Accessible Authentication
>
> Surely a login is an authentication process. The Understanding document isn't normative: the checkpoint is.
>
> I agree it's possibly sloppy but there's no way 3.3.8 applies to only log in as it would say so in the normative process.
>
> Kevin
> Kevin Prince
> Product Accessibility & Usability Consultant
>
> Foster Moore
> A Teranet Company
>
> E kevin.prince@fostermoore.com<mailto:kevin.prince@fostermoore.com>
> Christchurch
> fostermoore.com<http://www.fostermoore.com/>
>
> Kevin Prince
> Product Accessibility & Usability Consultant
>
>
> Foster Moore
> A Teranet Company
>
>
> E kevin.prince@fostermoore.com
> Christchurch
> fostermoore.com
>
> -----Original Message-----
> From: Steve Green <steve.green@testpartners.co.uk<mailto:steve.green@testpartners.co.uk>>
> Sent: Tuesday, November 14, 2023 8:21 AM
> To: w3c-wai-ig@w3.org<mailto:w3c-wai-ig@w3.org>
> Subject: Accessible Authentication
>
> The normative text of SC 3.3.8 says "A cognitive function test ... is not required for any step in an authentication process unless ..."
>
> There is no mention of a login process in the normative text, yet the Understanding page is entirely devoted to the login process and says the SC does not apply to anything else.
>
> However, it is not uncommon to have further authentication processes when you are already logged in. For instance, every time I add a new recipient to my bank account, I have to go through an authentication process. I sometimes have to when making payments, if they are outside some parameters the bank has set. According to the normative text, the SC would apply to these processes, but according to the Understanding page, it doesn't.
>
> I'm not sure if I have a question or if I just need to have a rant about the bad wording. Again. What is the point of normative text if its meaning can be changed so substantially by the non-normative Understanding page? If the SC was only supposed to apply to login pages, why doesn't it say so in the normative text? It would only have added three or four words.
>
> Didn't anyone (including me) notice this during the lengthy review period? Or did the wording change late in the process?
>
> Regards,
> Steve Green
> Managing Director
> Test Partners Ltd
> 020 3002 4176 (direct)
> 0800 612 2780 (switchboard)
> 07957 246 276 (mobile)
> 020 7692 5517 (fax)
> Skype: testpartners
> steve.green@testpartners.co.uk<mailto:steve.green@testpartners.co.uk>
> http://www.testpartners.co.uk/
>
> Connect to me on LinkedIn - http://uk.linkedin.com/in/stevegreen2
>
Received on Tuesday, 14 November 2023 21:12:49 UTC