RE: Accessible authentication Updates

Thank you so much Rachael and Alastair and the explanations were very helpful but the only thing I wondered about was the sentence

"A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of:"

Is this one of the following:  meaning there is a choice of one of the items in the list
OR
at least one of:  meaning one alternative,  one mechanism, one recognition of object and one identification of own content?

I wonder if this could be clarified.

Best wishes
E.A.

Mrs E.A. Draffan
ECS , University of Southampton
Mobile +44 (0)7976 289103
http://access.ecs.soton.ac.uk<https://www.outlook.soton.ac.uk/owa/redir.aspx?C=69b1RzNTDwem3wbm4pLRmuYfTLt16YjcghtEpZBsF5Sebx78I2DUCA..&URL=http%3a%2f%2faccess.ecs.soton.ac.uk%2f>



From: Alastair Campbell <acampbell@nomensa.com>
Sent: 23 August 2022 15:55
To: Bradley-Montgomery, Rachael <rmontgomery@loc.gov>; public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Subject: Re: Accessible authentication Updates

CAUTION: This e-mail originated outside the University of Southampton.
Hi everyone,

With all the changes, this is the latest proposed versions:
https://raw.githack.com/w3c/wcag/accessible-auth-structure/understanding/22/accessible-authentication.html<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fraw.githack.com%2Fw3c%2Fwcag%2Faccessible-auth-structure%2Funderstanding%2F22%2Faccessible-authentication.html&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cy4byaNSB7Mt3NcFh9pkAjKRIuevuAZE7B1%2FtikIp9c%3D&reserved=0>
https://raw.githack.com/w3c/wcag/accessible-auth-structure/understanding/22/accessible-authentication-no-exception.html<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fraw.githack.com%2Fw3c%2Fwcag%2Faccessible-auth-structure%2Funderstanding%2F22%2Faccessible-authentication-no-exception.html&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VA6SCJ7KCySJZ%2FPV7yMUcNAeeZlSzbt8wyVrm4GDZMM%3D&reserved=0>

Kind regards,

-Alastair

From: Bradley-Montgomery, Rachael <rmontgomery@loc.gov<mailto:rmontgomery@loc.gov>>
Date: Monday, 22 August 2022 at 13:58
To: public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org<mailto:public-cognitive-a11y-tf@w3.org>>
Cc: Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>
Subject: FW: Accessible authentication Updates
Hello,

The list in the forwarded email (below my signature) are proposed changes to the Accessible Authenticaion SC. They are mostly editorial but I am sending to COGA to make sure there are no concerns. Please review this today or tomorrow and write back to this list and Alastair if you have concerns.

I am summarizing the first three changes (2, 3, and New Issue 2) together directly below indicated in bold green to make review easier. Hopefully Alastair will correct this if I've misrepresented anything.
Current 3.3.7 Accessible Authentication

For each step in an authentication process that relies on a cognitive function test<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8DT3aEs%2BkMara1kIJ6q7pwqrCHlbZc4sbQIpLm8P%2Fh0%3D&reserved=0>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.

Exception: When the cognitive function test is to recognize objects, or content the user provided to the website.
Note: Objects and content for the exception may be represented by images, text, video, or audio.

Note: Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.

Proposed 3.3.7 Accessible Authentication with all changes
For each step in an authentication process that relies on a cognitive function test<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8DT3aEs%2BkMara1kIJ6q7pwqrCHlbZc4sbQIpLm8P%2Fh0%3D&reserved=0> (such as remembering a password or solving a puzzle), at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.

Exception: The cognitive function test asks the user to recognize objects, or to recognize non-text content that the user provided to the website.

Note: Objects and content for the exception may be represented by images, text, video, or audio.

Note: Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.

Current 3.3.8 Accessible Authentication (No Exception)
For each step in an authentication process that relies on a cognitive function test<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8DT3aEs%2BkMara1kIJ6q7pwqrCHlbZc4sbQIpLm8P%2Fh0%3D&reserved=0>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.

Proposed 3.3.8 Accessible Authentication (No Exception)
For each step in an authentication process that relies on a cognitive function test<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8DT3aEs%2BkMara1kIJ6q7pwqrCHlbZc4sbQIpLm8P%2Fh0%3D&reserved=0> (such as remembering a password or solving a puzzle), at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.


The last change would reorganize the SC . With all the changes above and the proposed reorganization the 3.3.7 would read:

A cognitive function test<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8DT3aEs%2BkMara1kIJ6q7pwqrCHlbZc4sbQIpLm8P%2Fh0%3D&reserved=0> (such as remembering a password or solving a puzzle), is not required for any step in an authentication process unless that step provides at least one of the following:

*        Alternative: Another other authentication method that does not rely on a cognitive function test.

*        Mechanism: A mechanism is available to assist the user in completing the cognitive function test.

*        Recognize objects: The cognitive function test is to recognize objects.

*        Identify own content: The cognitive function test is to identify non-text content the user provided to the website.


I believe 3.3.8 would then read:

A cognitive function test<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830151027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8DT3aEs%2BkMara1kIJ6q7pwqrCHlbZc4sbQIpLm8P%2Fh0%3D&reserved=0> (such as remembering a password or solving a puzzle), is not required for any step in an authentication process unless that step provides at least one of the following:

*        Alternative: Another other authentication method that does not rely on a cognitive function test.

*        Mechanism: A mechanism is available to assist the user in completing the cognitive function test.


Thank you,

Rachael

From: Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>
Date: Monday, August 22, 2022 at 5:12 AM
To: "WCAG list (w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>)" <w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>>
Subject: Re: Accessible authentication Updates
Resent-From: <w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>>
Resent-Date: Monday, August 22, 2022 at 5:10 AM

Hi everyone,

I don't think we've had any concerns about these updates, but I'll state them concisely here.

Firstly, some fairly editorial updates:

2. Clarify Accessible Authentication by including "remembering user names and passwords" in the SC text #2577

Most people agree with the addition, with a couple of suggestions to put it in parenthesise and include at the AAA level. PR 2609<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2609%2Ffiles&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830307254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xEyuUKRN4%2F0qSzfvDBp726WFr7e8ndns8XMPF0qRnXQ%3D&reserved=0> has been updated to reflect that.

There was a concern about the term "cognitive function test", but for want of a better alternative, they could live with it.

Does anyone object to PR 2609<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2609%2Ffiles&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830307254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xEyuUKRN4%2F0qSzfvDBp726WFr7e8ndns8XMPF0qRnXQ%3D&reserved=0> which adds: (such as remembering a password or solving a puzzle) to both versions?


3. Editorial update to accessible-auth exception #2608

Tobias made a suggestion which several people agreed with (and doesn't change the meaning), so I've updated PR 2608<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2608%2Ffiles&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830307254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BRFZe1c6Oe7tnIwv8r0U16elp2i1jOjnSzV%2F%2FXu9p8s%3D&reserved=0> to reflect that.

Any objections to that update?


New issue 2

I don't think there's a separate issue for it, but in a couple of places people have raised that: identifying content the user has provided to the website could include passwords.

To resolve this, I'm proposing we use "non-text content" in the exception, and remove 'text' from the note. This is implemented in PR 2624<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2624%2Ffiles&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830307254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=g7bWpKzFTbmI7xpMeKpytUZRAw1WmOeGnl75eUXb61w%3D&reserved=0>.

Any objections?


Then a more substantial re-structure:

New issue 1

In the thread of Issue 2592<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F2592&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830307254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Nv7D%2Fb%2FUzSsxA6MLkxkBX1iBLUerv4pea2KLKirZGgk%3D&reserved=0> EricE proposed to re-structure the SC text so it uses bullet-points for the exceptions AND the alternative  & mechanism aspects.

To keep it aligned with the current meaning I suggested it use a structure more like the alt-text SC:
https://github.com/w3c/wcag/issues/2592#issuecomment-1217758169<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F2592%23issuecomment-1217758169&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830307254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FiIRPLBZfxYOhunTaCphXKRb042mvQloRcv8eKMoyB8%3D&reserved=0>

The question at this point is: Do people think that improves the SC and no-one would object?

If anyone objects, we'll shut-down that approach now rather than take time on it but I couldn't see a problem with it.

Kind regards,

-Alastair

--

@alastc / www.nomensa.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nomensa.com%2F&data=05%7C01%7Cead%40ecs.soton.ac.uk%7Cc6eea680c87d4adc5a1808da8517a3eb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637968633830307254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=krdW0diQ65hhALyc69TFzQ5LvbLJ1UHqwEVNJ5l79L4%3D&reserved=0>

Received on Tuesday, 23 August 2022 17:31:32 UTC