Re: Accessible Authentication

There is a related GitHub issue for this, which people might find useful / interesting:


From: Juliette McShane Alexandria <>
Date: Monday, November 13, 2023 at 11:38
To: Steve Green <>, <>
Subject: Re: Accessible Authentication
Great point, Steve. We've also had internal confusion over things like RECAPTCHA used as part of submitting a contact form.

Some clarity around what this SC does or does not apply to would be wonderful.

On 11/13/2023 11:29:10 AM, Steve Green <> wrote:
The normative text of SC 3.3.8 says "A cognitive function test ... is not required for any step in an authentication process unless ..."

There is no mention of a login process in the normative text, yet the Understanding page is entirely devoted to the login process and says the SC does not apply to anything else.

However, it is not uncommon to have further authentication processes when you are already logged in. For instance, every time I add a new recipient to my bank account, I have to go through an authentication process. I sometimes have to when making payments, if they are outside some parameters the bank has set. According to the normative text, the SC would apply to these processes, but according to the Understanding page, it doesn't.

I'm not sure if I have a question or if I just need to have a rant about the bad wording. Again. What is the point of normative text if its meaning can be changed so substantially by the non-normative Understanding page? If the SC was only supposed to apply to login pages, why doesn't it say so in the normative text? It would only have added three or four words.

Didn't anyone (including me) notice this during the lengthy review period? Or did the wording change late in the process?

Steve Green
Managing Director
Test Partners Ltd
020 3002 4176 (direct)
0800 612 2780 (switchboard)
07957 246 276 (mobile)
020 7692 5517 (fax)
Skype: testpartners

Connect to me on LinkedIn -

Received on Monday, 13 November 2023 19:48:03 UTC