SC Shortname

User authentication methods

SC Text

At least one user authentication method is offered that does not rely on a user's ability to:

• memorize character strings or;
• correctly identify and enter numbered characters from a character string or;
• perform calculations or;
• speak or;
• reliably produce gestures or;
• recognise characters presented on screen and then enter them into an input field.

Exception: A user identification method that relies on one of the above abilities can be the only method if that ability is essential to make effective use of the content accessed via the user authentication method.

[This replaces part of the following original proposed SC:

[When there is a barrier between the content and the user that requires additional abilities an alternative is provided that does not require additional abilities.]

[Additional abilities include cognitive functions that are required, but are not necessary to achieve the main task for which the content was designed. Such as:]

• Capture or security mechanisms that require copying, spelling or memory skills;
• Interactive communication systems, voice menu systems such as Voice XML automated customer service portals, which require the user to have a good working (transitory) memory. The user needs hold pieces of transitory information in the mind such as the number that is being presented as an option, whilst processing the terms that follow.
• Hiding of critical features under categories that are hard to understand. Such as a Web Of Things interfaces, that requires the user to understand the word "mode" to get to easy to understand options.]

Exception: There is an exception when there is a not a known alternative that provides the same main function and does not rely on additional abilities. A known alternative can be a WCAG technique, W3C note, or in the documentation of the platform.]

Suggestion for Priority Level (A/AA/AAA)

AA

Related Glossary additions or changes

None?

What Principle and Guideline the SC falls within.

This topic is directly related to Principle 2 "Operable", as failure to successfully overcome the user authentication barriers will mean that the user is unable to access and make use of the underlying content.

Description

The intent of the SC is to ensure that, if a user is able to make use of the content that they are seeking, they do not encounter a barrier that prevents them from accessing it.

Most user interfaces are designed to help users complete tasks. However, web security and privacy technologies intentionally introduce barriers to task completion. They require users to perceive more and to do more to complete tasks.

Many of the user authentication methods rely on trying to differentiate between a human and software that tries to hijack the user's identity (robots). The most common way to try to distinguish this is to present a task that a human can "easily" do and that is almost impossible for software to reproduce. Setting tasks that rely on human abilities is the most common way to try to make this distinction. These methods can frequently be quite challenging for people who have a high level of the relevant ability. For people who have a lower level of the relevant ability the authentiation task frequently presents an insurmountable barrier.

The six abilities that are referred to in the SC are those that are frequently employed as user authentication methods. The SC asks for the availability of at least one method that does not rely on any of these abilities to be offered.

Benefits

Users will be able to successfully complete a user authentication procedure even though they have limited levels of those cognitive abilities specified in the SC.

Related Resources

Resources are for information purposes only, no endorsement implied.

Relevant resources:

• Gap analysis section 2.3.2
• User needs Table 1
• Background research document (particularly 3.1.3.1 Memory)

Relevant issue papers:

• Security and Privacy Technologies
• Numbers and Math

 

Testability

Inspection of the set of user authentication methods offered by the web service to see whether one that does not involve the six specified human abilities.

Techniques

TBD. Methods would include automatic user authentication based on the use of a trusted device (to which the user has already logged in with their own identity).