RE: [EXTERNAL] [turingtest] Accessible Authentication

Thank you for the question, which raises interesting issues. To answer it directly:

  1.  The proposed WCAG 2.2 success criteria 3.3.7 and 3.3.8 didn’t exist, at least in their current form, when the CAPTCHA Note was last significantly revised circa 2019; and they were controversial at that time. They presently remain proposals only, as WCAG 2.2 is not yet in Candidate Recommendation or beyond. We can consider whether to refer to them in a subsequent draft of the CAPTCHA Note, as the proposals are relevant in this context.
  2.  More substantially, it is not clear that 3.3.7 or 3.3.8 addresses the CAPTCHA phenomenon. In particular, if we read 3.3.7 and 3.3.8 in conjunction with the “CAPTCHA” item in success criterion 1.1.1, then it makes sense to interpret 1.1.1 as allowing perception-based CAPTCHA challenges, as long as alternatives relying on different senses are available. One can then interpret “authentication” in 3.3.7 and 3.3.8 as referring only to verifying the identity of the user – and not to determining whether the user is human, which is the distinctive function served by CAPTCHA challenges. In addition, it is not clear that tasks requiring the user to recognize objects or characters in images, spoken words, etc., involve “memorization” in the sense in which this term is used in the definition of “cognitive function test” in the WCAG 2.2 proposal. Thus, WCAG 2.2 is arguably best interpreted as not changing the status quo with respect to CAPTCHA, as established by success criterion 1.1.1 in WCAG 2.0.
If the intention of the Accessibility Guidelines Working Group is to override the explicit statements about CAPTCHA in 1.1.1, then this will need to be made very clear, in my opinion. The only consistent reading of the draft as a whole at the moment appears to be to interpret 3.3.7 and 3.3.8 as not addressing CAPTCHA, at least of the kind which is expressly permitted under 1.1.1.

From: Rochford, John <john.rochford@umassmed.edu>
Sent: Tuesday, 28 December 2021 6:29
To: public-apa@w3.org
Subject: [EXTERNAL] [turingtest] Accessible Authentication

CAUTION: This email originated from outside of our organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello Editors,
Great Inaccessibility of CAPTCHA doc<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fturingtest%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=gQylYoY%2Fspk5jDlPFtGGGP5xgeulL9gQzbjKKF%2FGsQI%3D&reserved=0>! Very thorough.

Why is there no mention of the proposed Accessible Authentication SC 3.3.7<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23accessible-authentication&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4cuHHJ5bSdbDac1MaE4whwlIxqqXaGUR8mlsbsgGDUo%3D&reserved=0>?


John

John Rochford
University of Massachusetts Medical School
Eunice Kennedy Shriver Center
Director, INDEX Program
Faculty, Family Medicine & Community Health
DisabilityInfo.org<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.disabilityinfo.org%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=jJX0eogZo%2B7jQf3wbKtkvy%2FdpP%2FQ4rOuSEKD5fiSdgk%3D&reserved=0>
EasyText.AI<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Feasytext.ai%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=xZPx%2B3z8eH2zQxnQIS6wsZOxrz%2FEu2OOlp0m231LQX4%3D&reserved=0>
LinkedIn<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fjohn-rochford%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=x2C1wxLbAMD3p1u9OsFNhG6E5SV%2BkDZct5F295Ja4Jw%3D&reserved=0>
About Me<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fabout.me%2Fjohnrochford&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3LMgZHUUDtFR8tQ7ugG3AKW7UVtsdev%2Bvpd22Zju6gQ%3D&reserved=0>
Schedule a meeting with me.<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbit.ly%2FCallJR&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ykx8Px1lkwwbfddzmTh5NAJZj0YL%2Fg%2BYTaKaOkKJRI0%3D&reserved=0>

Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender immediately and destroy or permanently delete all copies of the original message.


________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________