WCAG 2.2 public comment - 3.3.7 Accessible Authentication

Accessibility Guidelines WG,

I’m Yao Ding, an Accessibility Researcher at Facebook.  I’m representing the Consumer Deployment WG of FIDO Alliance<https://fidoalliance.org/> to provide comments and seek clarification on 3.3.7 Accessible Authentication.

We have two main questions:


  1.  Clarify if providing WebAuthN is a sufficient technique even if in some cases the authenticator only supports PIN.
     *   Understanding 3.3.7<https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication.html> lists “Providing WebAuthN” as a sufficient technique.
     *   “Examples” language   –   “Common methods on laptops and phones are facial-scan, fingerprint, and pin number. The web site is not enforcing any particular use, it is assumed a user will setup a method that suits them.”  --  seems to suggest that PIN is always one in multiple options that the user can choose from.  We don’t think it’s accurate because when we deploy WebAuthN, WebAuthN does not provide any information on what modality an authenticator supports.  In some cases, the authenticator may only support PIN.
     *   As per definition of “cognitive function test”, memorizing a PIN is seemingly a cog test.
     *   Based on the above premise, will providing WebAuthN still pass 3.3.7 even in cases where the authenticator only supports PIN?
  2.  Clarify if passwordless authentication would pass 3.3.7
     *   Passwords are known to be weak for phishing and the industry is moving towards authentication without relying on passwords.
     *   Is it accurate to say that as long as the passwordless auth doesn’t rely on a cognitive function test, it passes 3.3.7?
     *   If yes, may we provide examples of FIDO passwordless authentication to be included as examples or sufficient technques?

Your response would be much appreciated!

Regards,
Yao


Yao Ding
Accessibility Researcher
[signature_1682896801]

Received on Thursday, 23 September 2021 08:07:30 UTC