Re: Accessible authentication Updates

Hi Rain,

I’m not following something, you seem to be agreeing with the premise but proposing something less effective?

The proposal (in PR 2624<>) would restrict the recognition to not-text content, e.g. images/video (which then have to pass things like text alternatives).

If we add “responses to personal history questions” to the exception that means sites are allowed to use those at the AA level.

Is that what you intended?

Kind regards,


From: Rain Michaels <>
Date: Wednesday, 17 August 2022 at 13:03
To: Alastair Campbell <>
Cc: WCAG list ( <>
Subject: Re: Accessible authentication Updates
+1 to everything except -1 to the last one, "New issue 2."

Security questions, such as "make and model of your first car," "where you met your spouse," "name of your first pet," etc., often ask for text-based responses. These can also become cognitive function tests in the same way that user-supplied images might be.

Suggestion to fix:

Instead of:

Exception: When the cognitive function test is to recognize objects, or content the user provided to the website.
Objects and content for the exception may be represented by images, text, video or audio.

Perhaps something like:

Exception: When the cognitive function test is to recognize objects, or non-passwordcontent the user provided to the website.
Objects and content for the exception may be represented by images, video, audio, or responses to personal history questions.

Thank you,


On Wed, Aug 17, 2022 at 7:42 AM Alastair Campbell <<>> wrote:
Hi everyone,

I separated these off as they form a topic.

From the survey<> we had two Accessible Authentication questions to get agreement on, and two new ones:

2. Clarify Accessible Authentication by including "remembering user names and passwords" in the SC text #2577

Most people agree with the addition, with a couple of suggestions to put it in parenthesise and include at the AAA level. PR 2609<> has been updated to reflect that.

Several people thought that the definition covered this and the update was not needed.

I’d point out that one response appears to have misunderstood the SC and didn’t think passwords would be covered, which actually helped to highlight that the update is needed.

Also, we do just the same thing in 4.1.2 where there is a definition, then parenthesise with examples of what is covered.

Does anyone object to PR 2609 which adds: (such as remembering a password or solving a puzzle) to both versions?

3. Editorial update to accessible-auth exception #2608

Tobias made a suggestion which several people agreed with (and doesn’t change the meaning), so I’ve updated PR 2608<> to reflect that.

I also switched it from “The cognitive function tests ask” to “The cognitive function test asks”, as the CFT is singular in the rest of the SC.

Any objections to that update?

New issue 1

In the thread of Issue 2592<> EricE proposed to re-structure the SC text so it uses bullet-points for the exceptions AND the alternative  & mechanism aspects.

To keep it aligned with the current meaning I suggested it use a structure more like the alt-text SC:

The question at this point is: Do people think that improves the SC and no-one would object?

If anyone objects we’ll shut-down that approach now rather than take time on it, but I couldn’t see a problem with it.

New issue 2

I don’t think there’s a separate issue for it, but in a couple of places people have raised that: identifying content the user has provided to the website could include passwords.

The original intent for this exception was for interfaces where the user provides something like an image, and then the website shows 5 (for example) images and the user has to pick theirs. It was seen as a less difficult cognitive function test because it comes from the user. Anything text related is going to fall more heavily into memorisation part of CFTs.

To resolve this, I’m proposing we remove ‘text’ from that exception and note. This is implemented in PR 2624<>.

Any objections?

Kind regards,



@alastc /<>

Received on Wednesday, 17 August 2022 12:42:58 UTC