- From: Steve Lee <stevelee@w3.org>
- Date: Mon, 5 Jul 2021 09:19:00 +0100
- To: public-cognitive-a11y-tf@w3.org
On 04/07/2021 22:34, Abi James wrote: > Hi Rain > > When I’ve been involved in discussions it’s been clear that entering a > password is a cognitive function test whether you can see the characters > or not. So a site owner still has to allow a mechanism to help users > enter a correct password even if characters are visible. Sites would > still need to allow copy/paste or an alternative authentication > mechanism. I strongly support recommending it as best practice in the > understanding document such as > > *Another factor that can improve the chances of success for people with > cognitive disabilities is being able to see the password as it is typed > or afterwards to check it. Password visibility does not remove the > cognitive demands of transcribing a password, but it is a **good way of > reducing the cognitive load, so including a feature to optionally show > the password is very helpful.* Agree. > However, requiring that passwords characters are visible is widening the > scope of success criteria and would need more consideration and > consultation e.g. > - do characters have to be visible as typing or can they be shown > afterwards? Why would this be important? Would it improve security? Ease developers work? Somehting else? Or what impact would it have on users. If "afterwards" what if user wants to edit it? I note that if there is a button to toggle visibility the user can choose both options. > - would native html/ OS fields which obscure passwords by default be exempt? > - are there security implications by showing password field that bring > unintended consequences e.g. a screen reader will read aloud the > password entry in a field when focus is moved onto it which the user may > not have anticipated introducing a security risk if they are in a public > place ah yes - some modes of access or context may unintentionally share the field content - good point, > - if users trust of a website’s security altered if passwords are visible? Interesting thought. Is there any research on this? > > Abi > > On 4 Jul 2021, at 19:05, Rain Michaels <rainb@google.com> wrote: > > > *CAUTION:* This e-mail originated outside the University of Southampton. > Hello Abi, > > Thank you for your response. This is an important consideration. > > Following up, I'd like to see if there is a way we can address the > group's concerns while still only including it as a best practice. > > Here is the proposed text that is currently in the pull request: > > *“Another factor that can improve the chances of success for people with > cognitive disabilities is being able to see the password as it is typed. > Password visibility is not a requirement of this criterion, but a good > way of reducing the cognitive load, so including a feature to optionally > show the password is very helpful.”* > > Our group expressed significant concern on the last task force meeting > because this language, including the word "helpful" seems to be indirect > contradiction with the functional definition of a cognitive function > test > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2FWCAG22%2F%23dfn-cognitive-function-test&data=04%7C01%7CA.James%40soton.ac.uk%7Cddb4fd806048483d64a108d93f16437c%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637610187116743999%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RtVmFfnxUGeEgEwT27QGWc%2B53ta4L122Qs4MHrxODC4%3D&reserved=0>, > which states: > > *"A task that requires the user to remember, manipulate, or transcribe > information. Examples include, but are not limited to... > **transcription, such as typing in characters;..."* > > Do you have thoughts on how we might be able to modify our proposed > response, written in the first paragraph above, address these concerns? > > Thank you, > > Rain > > On Sun, Jul 4, 2021 at 5:03 AM Abi James <A.James@soton.ac.uk > <mailto:A.James@soton.ac.uk>> wrote: > > -1____ > > __ __ > > I would support adding this as best practice within the > understanding document but I would not support adding show password > as a requirement on all password fields. It should be included a an > example of a mechanism to support users (as there are many > approaches that can be used) along with other techniques.____ > > __ __ > > There are technical, security and regulatory requirements that can > inhibit show password being implemented. They are also difficult to > make accessible > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fincl.ca%2Fshow-hide-password-accessibility-and-password-hints-tutorial%2F&data=04%7C01%7CA.James%40soton.ac.uk%7Cddb4fd806048483d64a108d93f16437c%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637610187116753991%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=1kNi%2F1Jqgi6iWuLkesNBvmIFzE0vQAnHmhVSj%2B%2BwqxU%3D&reserved=0>. > This will lead to the success criteria being ignored by > organisations. It is already proving difficult to get large > organisations to accept the success criteria.____ > > __ __ > > Abi ____ > > __ __ > > *From:*Rain Michaels <rainb@google.com <mailto:rainb@google.com>> > *Sent:* 01 July 2021 20:57 > *To:* public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org > <mailto:public-cognitive-a11y-tf@w3.org>> > *Subject:* COGA action requested: please review draft response to > Accessible Authentication show password issue____ > > __ __ > > *CAUTION:*This e-mail originated outside the University of > Southampton. ____ > > Hello COGA task force,____ > > __ __ > > We discussed a new response from COGA to SC 3.3.7 Accessible > Authentication - add requirement / control to "show password" for > end-users #1912 > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F1912&data=04%7C01%7CA.James%40soton.ac.uk%7Cddb4fd806048483d64a108d93f16437c%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637610187116753991%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ktBLXZ2%2Bb8o6CAPfX5cV2z5nX7NcA5ibVVkcQuIV%2Fco%3D&reserved=0>. > Since the discussion was going long, we decided that I would try to > draft a response and share it with the group for comment. ____ > > __ __ > > The new draft response is ready for your comments below. You can > also review and suggest edits or make comments on the Google Doc > version > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1SmAbdQG-ei1DrWewx61YX93gGsHUo_VM15-FDLlnP9M%2Fedit%23heading%3Dh.o49dk19joyzp&data=04%7C01%7CA.James%40soton.ac.uk%7Cddb4fd806048483d64a108d93f16437c%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637610187116763986%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fFdlWJvIXL5Ez3VkUdFiHXdiwzdHuAmiN6pGA0nJyf4%3D&reserved=0> > if that is easier.____ > > __ __ > > Thank you,____ > > __ __ > > Rain____ > > __ __ > > __ __ > > *For context, our response to the **original issue* > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F1912%23issue-923218389&data=04%7C01%7CA.James%40soton.ac.uk%7Cddb4fd806048483d64a108d93f16437c%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637610187116773982%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KXEiHeTwOI9BXqD0QtkcOJzdaX5qJuMAQaswOwBC6Uw%3D&reserved=0>*: > *____ > > As COGA, we recommend that there should be a feature that is a > toggle that says “show password/hide password” that enables the user > to see their password as they enter it. At the same time, this is > something that should be in the understanding document. This is > technically not a cognitive function test, which is what the SC is > about.____ > > *Summary of responses since ours:*____ > > * __ __ > * __ __ > * Alastair and Jake still felt it should be a new requirement____ > * __ __ > * __ __ > * __ __ > * Patrick felt that it would be okay to add it to the > understanding document as long as it was clear____ > * it was a best practice or suggestion and not required to pass > the success criterion____ > * __ __ > * __ __ > * __ __ > * Alastair proposed adding this text to the understanding > document:____ > * “Another factor that can improve the chances of success for > people____ > * with cognitive disabilities is being able to see the password as > it is typed. Password visibility is not a requirement of this > criterion, but a good way of reducing the cognitive load, so > including a feature to optionally show the password is very > helpful.”____ > * __ __ > * *__ __* > * *__ __* > * *On our COGA TF call*,____ > * we had concerns about the use of the word “helpful,” how this > relates to “transcription” as a cognitive function test, and > whether this was going in the wrong direction. *____* > * *__ __* > > *Proposed new response following our COGA TF meeting: *____ > > This is a combined response from the COGA Task Force: After reading > the responses since our last comment (posted on June 24), we feel > more strongly now that this should be a requirement, but we also > feel that it is not a *new* requirement, and should, instead, be > part of this one. ____ > > We have come to this conclusion after re-reading the functional > definition of a cognitive function test > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2FWCAG22%2F%23dfn-cognitive-function-test&data=04%7C01%7CA.James%40soton.ac.uk%7Cddb4fd806048483d64a108d93f16437c%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637610187116773982%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=F9sA8MiSF5S9RWJ3b5hsnzFDy8TZPvwa25YktjB20%2Fo%3D&reserved=0>, > which clearly includes transcribing characters.____ > > SC 3.3.7 Accessible Authentication > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2FWCAG22%2F%23accessible-authentication&data=04%7C01%7CA.James%40soton.ac.uk%7Cddb4fd806048483d64a108d93f16437c%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637610187116783977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VLAmRgiGEzdaWugzLJIe%2BhHQxDpFTnwzmfSugWTrZcU%3D&reserved=0>reads > “For each step in an authentication process that relies on a > cognitive function test, at least one other authentication method is > available that does not rely on a cognitive function test, *or a > mechanism is available to assist the user in completing the > cognitive function test.*”____ > > The challenge is that for some individuals with cognitive > disabilities, password visibility may be essential. To frame it from > a user perspective: I need to see the password as I type it, and I > need to see the password after I type it with time to review.____ > > We (the COGA task force) realize that this is a challenging request > and has a lot of implications. Please advise on next steps so that > we can help bring this to resolution.____ > > __ __ > > *What you, COGA task force member, need to do: *____ > > Please either +1 or -1 this proposed new response. If -1, please > indicate why and what you would like us to do instead. *If possible, > please respond before July 3 so that we can post our response before > many are gone for the holidays.*____ > > Thank you,____ > > Rain____ > > > > ____ > > __ __ >
Received on Monday, 5 July 2021 08:19:01 UTC