- From: Rochford, John <john.rochford@umassmed.edu>
- Date: Wed, 24 Aug 2022 16:54:55 +0000
- To: Alastair Campbell <acampbell@nomensa.com>, "E.A. Draffan" <ead@ecs.soton.ac.uk>, "Bradley-Montgomery, Rachael" <rmontgomery@loc.gov>, public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
- Message-ID: <CH0PR10MB5002A1DE2E9F4581C8C4AE5E91739@CH0PR10MB5002.namprd10.prod.outlook.com>
Hi Alastair and Rachael,
Thank you both for shepherding this SC.
I agree with E.A.'s proposed change. With the following typographical exceptions, all else looks good to me.
I suggest changing the following in multiple places.
* "Alternative: Another other..." to
* "Alternative: Another method..." or to
* "Alternative: At least one other method...".
* "... at least one of the following:" to
* "... at least one of the following."
* Note the change from ":" to ".".
* Reason: The bullet points are not part of the previous sentence. They are independent sentences.
John
John Rochford
University of Massachusetts Medical School
Eunice Kennedy Shriver Center
Director, INDEX Program
Faculty, Family Medicine & Community Health
DisabilityInfo.org<www.DisabilityInfo.org>
EasyText.AI<https://easytext.ai/>
About Me<https://johnrochford.com/?promo=email_sig&utm_source=product&utm_medium=email_sig&utm_campaign=edit_panel&utm_content=plaintext>
Schedule a meeting with me.<http://bit.ly/CallJR>
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender immediately and destroy or permanently delete all copies of the original message.
From: Alastair Campbell <acampbell@nomensa.com>
Sent: Tuesday, August 23, 2022 1:53 PM
To: E.A. Draffan <ead@ecs.soton.ac.uk>; Bradley-Montgomery, Rachael <rmontgomery@loc.gov>; public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org>
Subject: Re: Accessible authentication Updates
Hi EA,
That's a good point, when they have labels that could be confusing. I've added "of the following" to the intro.
Thanks,
-Alastair
From: E.A. Draffan <ead@ecs.soton.ac.uk<mailto:ead@ecs.soton.ac.uk>>
Date: Tuesday, 23 August 2022 at 18:31
To: Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>, Bradley-Montgomery, Rachael <rmontgomery@loc.gov<mailto:rmontgomery@loc.gov>>, public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org<mailto:public-cognitive-a11y-tf@w3.org>>
Subject: RE: Accessible authentication Updates
Thank you so much Rachael and Alastair and the explanations were very helpful but the only thing I wondered about was the sentence
"A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of:"
Is this one of the following: meaning there is a choice of one of the items in the list
OR
at least one of: meaning one alternative, one mechanism, one recognition of object and one identification of own content?
I wonder if this could be clarified.
Best wishes
E.A.
Mrs E.A. Draffan
ECS , University of Southampton
Mobile +44 (0)7976 289103
http://access.ecs.soton.ac.uk<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.outlook.soton.ac.uk%2Fowa%2Fredir.aspx%3FC%3D69b1RzNTDwem3wbm4pLRmuYfTLt16YjcghtEpZBsF5Sebx78I2DUCA..%26URL%3Dhttp%253a%252f%252faccess.ecs.soton.ac.uk%252f&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vuW%2BY8o9tfnTtsEeVHm2VAMr4vVCYPyy43H1hG7R0pQ%3D&reserved=0>
From: Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>
Sent: 23 August 2022 15:55
To: Bradley-Montgomery, Rachael <rmontgomery@loc.gov<mailto:rmontgomery@loc.gov>>; public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org<mailto:public-cognitive-a11y-tf@w3.org>>
Subject: Re: Accessible authentication Updates
CAUTION: This e-mail originated outside the University of Southampton.
Hi everyone,
With all the changes, this is the latest proposed versions:
https://raw.githack.com/w3c/wcag/accessible-auth-structure/understanding/22/accessible-authentication.html<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fraw.githack.com%2Fw3c%2Fwcag%2Faccessible-auth-structure%2Funderstanding%2F22%2Faccessible-authentication.html&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4XhIDj7FrSNBAIA%2Fq%2F%2BCelLotJAydzV3Kkt1q2DyG8%3D&reserved=0>
https://raw.githack.com/w3c/wcag/accessible-auth-structure/understanding/22/accessible-authentication-no-exception.html<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fraw.githack.com%2Fw3c%2Fwcag%2Faccessible-auth-structure%2Funderstanding%2F22%2Faccessible-authentication-no-exception.html&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rTUSM7%2BbTZglYl%2Bwl5QkKvUX3cnXrEuyuj6GHaiIMJg%3D&reserved=0>
Kind regards,
-Alastair
From: Bradley-Montgomery, Rachael <rmontgomery@loc.gov<mailto:rmontgomery@loc.gov>>
Date: Monday, 22 August 2022 at 13:58
To: public-cognitive-a11y-tf <public-cognitive-a11y-tf@w3.org<mailto:public-cognitive-a11y-tf@w3.org>>
Cc: Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>
Subject: FW: Accessible authentication Updates
Hello,
The list in the forwarded email (below my signature) are proposed changes to the Accessible Authenticaion SC. They are mostly editorial but I am sending to COGA to make sure there are no concerns. Please review this today or tomorrow and write back to this list and Alastair if you have concerns.
I am summarizing the first three changes (2, 3, and New Issue 2) together directly below indicated in bold green to make review easier. Hopefully Alastair will correct this if I've misrepresented anything.
Current 3.3.7 Accessible Authentication
For each step in an authentication process that relies on a cognitive function test<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Bh4QUxldY9EiLpr3qZz9LhqP1Svrw6%2Fy12D3z2frj4I%3D&reserved=0>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.
Exception: When the cognitive function test is to recognize objects, or content the user provided to the website.
Note: Objects and content for the exception may be represented by images, text, video, or audio.
Note: Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.
Proposed 3.3.7 Accessible Authentication with all changes
For each step in an authentication process that relies on a cognitive function test<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Bh4QUxldY9EiLpr3qZz9LhqP1Svrw6%2Fy12D3z2frj4I%3D&reserved=0> (such as remembering a password or solving a puzzle), at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.
Exception: The cognitive function test asks the user to recognize objects, or to recognize non-text content that the user provided to the website.
Note: Objects and content for the exception may be represented by images, text, video, or audio.
Note: Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.
Current 3.3.8 Accessible Authentication (No Exception)
For each step in an authentication process that relies on a cognitive function test<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Bh4QUxldY9EiLpr3qZz9LhqP1Svrw6%2Fy12D3z2frj4I%3D&reserved=0>, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.
Proposed 3.3.8 Accessible Authentication (No Exception)
For each step in an authentication process that relies on a cognitive function test<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Bh4QUxldY9EiLpr3qZz9LhqP1Svrw6%2Fy12D3z2frj4I%3D&reserved=0> (such as remembering a password or solving a puzzle), at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.
The last change would reorganize the SC . With all the changes above and the proposed reorganization the 3.3.7 would read:
A cognitive function test<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776658976318%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Bh4QUxldY9EiLpr3qZz9LhqP1Svrw6%2Fy12D3z2frj4I%3D&reserved=0> (such as remembering a password or solving a puzzle), is not required for any step in an authentication process unless that step provides at least one of the following:
* Alternative: Another other authentication method that does not rely on a cognitive function test.
* Mechanism: A mechanism is available to assist the user in completing the cognitive function test.
* Recognize objects: The cognitive function test is to recognize objects.
* Identify own content: The cognitive function test is to identify non-text content the user provided to the website.
I believe 3.3.8 would then read:
A cognitive function test<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23dfn-cognitive-function-test&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ziYVWHUWDja1T4kQT2lNUdGU2Unps810TRYjklHMqVE%3D&reserved=0> (such as remembering a password or solving a puzzle), is not required for any step in an authentication process unless that step provides at least one of the following:
* Alternative: Another other authentication method that does not rely on a cognitive function test.
* Mechanism: A mechanism is available to assist the user in completing the cognitive function test.
Thank you,
Rachael
From: Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>
Date: Monday, August 22, 2022 at 5:12 AM
To: "WCAG list (w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>)" <w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>>
Subject: Re: Accessible authentication Updates
Resent-From: <w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>>
Resent-Date: Monday, August 22, 2022 at 5:10 AM
Hi everyone,
I don't think we've had any concerns about these updates, but I'll state them concisely here.
Firstly, some fairly editorial updates:
2. Clarify Accessible Authentication by including "remembering user names and passwords" in the SC text #2577
Most people agree with the addition, with a couple of suggestions to put it in parenthesise and include at the AAA level. PR 2609<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2609%2Ffiles&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=W8DnnewOGN24eW%2FOewTzOzRVpoPOahyq2pyIS7mM3fk%3D&reserved=0> has been updated to reflect that.
There was a concern about the term "cognitive function test", but for want of a better alternative, they could live with it.
Does anyone object to PR 2609<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2609%2Ffiles&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=W8DnnewOGN24eW%2FOewTzOzRVpoPOahyq2pyIS7mM3fk%3D&reserved=0> which adds: (such as remembering a password or solving a puzzle) to both versions?
3. Editorial update to accessible-auth exception #2608
Tobias made a suggestion which several people agreed with (and doesn't change the meaning), so I've updated PR 2608<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2608%2Ffiles&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pu2lQgk4nUc197XNC8AzNprA9EyreQN8LRvH6P%2BjZWE%3D&reserved=0> to reflect that.
Any objections to that update?
New issue 2
I don't think there's a separate issue for it, but in a couple of places people have raised that: identifying content the user has provided to the website could include passwords.
To resolve this, I'm proposing we use "non-text content" in the exception, and remove 'text' from the note. This is implemented in PR 2624<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fpull%2F2624%2Ffiles&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gwzrOBKXPAJpBWZoTnXuQDlmRJH9eaBkCqLiCOVjQEg%3D&reserved=0>.
Any objections?
Then a more substantial re-structure:
New issue 1
In the thread of Issue 2592<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F2592&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NnAIKhz8jvnhRpfvgdQmqRfIDBvadX%2BpuX4%2B9cBcZmk%3D&reserved=0> EricE proposed to re-structure the SC text so it uses bullet-points for the exceptions AND the alternative & mechanism aspects.
To keep it aligned with the current meaning I suggested it use a structure more like the alt-text SC:
https://github.com/w3c/wcag/issues/2592#issuecomment-1217758169<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag%2Fissues%2F2592%23issuecomment-1217758169&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DyRfKMzt%2BVuqPHBXKGgNWJB4CP4dsXYQUhsJotwylx8%3D&reserved=0>
The question at this point is: Do people think that improves the SC and no-one would object?
If anyone objects, we'll shut-down that approach now rather than take time on it but I couldn't see a problem with it.
Kind regards,
-Alastair
--
@alastc / www.nomensa.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nomensa.com%2F&data=05%7C01%7Cjohn.rochford%40umassmed.edu%7Cef2a6d296aee492dbbb008da8538e4c6%7Cee9155fe2da34378a6c44405faf57b2e%7C0%7C0%7C637968776659132532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FAbP9tnPLwJoYOk%2Fwk5Y6dc7I3IAbItfkld%2B9%2FQazkc%3D&reserved=0>
Received on Wednesday, 24 August 2022 16:55:13 UTC