Re: Feedback on Success Criterion 2.2.6 Accessible Authentication

Hi Lisa,

Well, it means we have several different requirements going on (for this late stage):


  1.  A user requirement to make use of the built-in password manager in the browser.
If you use the built in one, then your authentication is via the OS, e.g. touch ID, or whatever you use to login to the computer.

  2.  A content requirement to not prevent password managers (for which we do not have text, and it doesn’t fit into the current text easily).

  3.  A content/functionality requirement to use a method that doesn’t require remembering / copying for re-authentication.

These are three different things, and having the first makes the third (current text) redundant.

I’d be happy to have an SC about not blocking password managers, it would fit nicely under guideline 4.1, something like:
“Authentication tools: User interface components which gather authentication credentials do not prevent automatic entry.”

NB: Not marking up an input as password properly could be failed under 1.3.1 and possibly 4.1.1 already.

However, we are a bit late in the 2.1 cycle for a new SC!

So the question is:

Would you like to proceed with this (in my view) redundant SC requiring sites to provide a non-password method of re-authentication for single-factor auth?

The only other (useful) option I can see is that we assume people can use a password manager.

In which case, we could re-scope the SC to ensure that sites which do use 2 factor make it simpler for re-authentication:
-----------
Essential steps of a multi-factor re-authentication process which relies on recalling or transcribing information has alternative essential steps which do not rely upon recalling or transcribing information, unless there are legal requirements for a recall or transcribe method of authentication.
-----------

That basically says: You can use username/password, but for 2nd factor you have to provide a mechanism for re-authentication which doesn’t require typing things in.

The options for that are then:

  *   Save the person’s cookie, only re-auth after 30 days or with a new browser.
  *   WebAuth (later).
  *   ‘Magic’ link.

Having it apply to second-factor re-auth makes it more feasible, it would have a chance.

-Alastair

Received on Friday, 1 December 2017 12:41:15 UTC