Re: COGA action requested: please review draft response to Accessible Authentication show password issue from Rain Michaels on 2021-07-07 (public-cognitive-a11y-tf@w3.org from July 2021)

From: Rain Michaels <rainb@google.com>
Date: Wed, 7 Jul 2021 08:42:54 -0700
To: Abi James <A.James@soton.ac.uk>
Cc: Lisa Seeman <lisa1seeman@gmail.com>, public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Message-ID: <CAJO5Huum4e6RMCS9fE80gqyqZ8-os4qAp7s798aFnXv6q4YV2g@mail.gmail.com>
Hi Abi,

I'm still working on fully understanding the nuance of the challenge here:

To confirm, some policies around security would consider allowing the *user
to control and toggle* between **** and seeing the password (in the moment,
with **** as default) is considered unacceptable.

Am I understanding this correctly?

Thank you,

Rain



On Wed, Jul 7, 2021 at 2:32 AM Abi James <A.James@soton.ac.uk> wrote:

> Hi Lisa
>
> I am definitely not suggesting stopping pasting in passwords. This is to
> with implementing seeing password characters and not *****
>
> Abi
>
> Sent from my iPhone
>
> On 7 Jul 2021, at 09:04, Lisa Seeman <lisa1seeman@gmail.com> wrote:
>
> 
> *CAUTION:* This e-mail originated outside the University of Southampton.
> I am not sure I am following but I strongly disagree with diluting the
> wording of accessible authentication to allow crazy , non paistable
> password ID combinations to be allowed just because you can view the
> password.
>
>
> Is that the proposal? My current bank has that and I have to call my
> accountant to login for me on a regular basis!
> It helps but anther mechanism is much better!
>
> All the best
> Lisa
>
> On Thu, Jul 1, 2021 at 10:57 PM Rain Michaels <rainb@google.com> wrote:
>
>> Hello COGA task force,
>>
>> We discussed a new response from COGA to SC 3.3.7 Accessible
>> Authentication - add requirement / control to "show password" for end-users
>> #1912
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F1912&data=04%7C01%7Ca.james%40soton.ac.uk%7Cb65ac743aa294f44e77c08d9411dc52f%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637612418416152202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CmuGUTDBNb%2F3%2Fg8IzOoqLRgO6%2Bbm98DOkJtr9T0DoVs%3D&reserved=0>.
>> Since the discussion was going long, we decided that I would try to draft a
>> response and share it with the group for comment.
>>
>> The new draft response is ready for your comments below. You can also
>> review and suggest edits or make comments on the Google Doc version
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1SmAbdQG-ei1DrWewx61YX93gGsHUo_VM15-FDLlnP9M%2Fedit%23heading%3Dh.o49dk19joyzp&data=04%7C01%7Ca.james%40soton.ac.uk%7Cb65ac743aa294f44e77c08d9411dc52f%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637612418416152202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cW%2FaRPAs4Vl5M9X4EZ%2BgJvRd9duJcpiXjI7L73%2F1LMg%3D&reserved=0>
>> if that is easier.
>>
>> Thank you,
>>
>> Rain
>>
>>
>> For context, our response to the original issue
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F1912%23issue-923218389&data=04%7C01%7Ca.james%40soton.ac.uk%7Cb65ac743aa294f44e77c08d9411dc52f%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637612418416162195%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dmiXGv0I0k%2F0BxeItdlfkG9Cesjz5ovMTrOxXnCyKoE%3D&reserved=0>
>> :
>>
>> As COGA, we recommend that there should be a feature that is a toggle
>> that says “show password/hide password” that enables the user to see their
>> password as they enter it. At the same time, this is something that should
>> be in the understanding document. This is technically not a cognitive
>> function test, which is what the SC is about.
>>
>> Summary of responses since ours:
>>
>>    -
>>
>>    Alastair and Jake still felt it should be a new requirement
>>    -
>>
>>    Patrick felt that it would be okay to add it to the understanding
>>    document as long as it was clear it was a best practice or suggestion and
>>    not required to pass the success criterion
>>    -
>>
>>    Alastair proposed adding this text to the understanding document: “Another
>>    factor that can improve the chances of success for people with cognitive
>>    disabilities is being able to see the password as it is typed. Password
>>    visibility is not a requirement of this criterion, but a good way of
>>    reducing the cognitive load, so including a feature to optionally show the
>>    password is very helpful.”
>>    -
>>
>>    On our COGA TF call, we had concerns about the use of the word
>>    “helpful,” how this relates to “transcription” as a cognitive function
>>    test, and whether this was going in the wrong direction.
>>
>> Proposed new response following our COGA TF meeting:
>>
>> This is a combined response from the COGA Task Force: After reading the
>> responses since our last comment (posted on June 24), we feel more strongly
>> now that this should be a requirement, but we also feel that it is not a
>> new requirement, and should, instead, be part of this one.
>>
>> We have come to this conclusion after re-reading the functional
>> definition of a cognitive function test
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2FWCAG22%2F%23dfn-cognitive-function-test&data=04%7C01%7Ca.james%40soton.ac.uk%7Cb65ac743aa294f44e77c08d9411dc52f%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637612418416162195%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kbj6QQ325xgeqjatYzHsVTU%2BqAnek8legVT6BJ8TSY4%3D&reserved=0>,
>> which clearly includes transcribing characters.
>>
>> SC 3.3.7 Accessible Authentication
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2FWCAG22%2F%23accessible-authentication&data=04%7C01%7Ca.james%40soton.ac.uk%7Cb65ac743aa294f44e77c08d9411dc52f%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637612418416172194%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OkjY3z%2BhV9JB6AYWFs4xvD7ksXt2VSGQIo6lqSY4nq8%3D&reserved=0>
>> reads “For each step in an authentication process that relies on a
>> cognitive function test, at least one other authentication method is
>> available that does not rely on a cognitive function test, or a
>> mechanism is available to assist the user in completing the cognitive
>> function test.”
>>
>> The challenge is that for some individuals with cognitive disabilities,
>> password visibility may be essential. To frame it from a user perspective:
>> I need to see the password as I type it, and I need to see the password
>> after I type it with time to review.
>>
>> We (the COGA task force) realize that this is a challenging request and
>> has a lot of implications. Please advise on next steps so that we can help
>> bring this to resolution.
>>
>> What you, COGA task force member, need to do:
>>
>> Please either +1 or -1 this proposed new response. If -1, please indicate
>> why and what you would like us to do instead. If possible, please
>> respond before July 3 so that we can post our response before many are gone
>> for the holidays.
>>
>> Thank you,
>>
>> Rain
>>
>>
>>
Received on Wednesday, 7 July 2021 15:51:32 UTC