RE: Accessible authentication Updates

Hi Gregg, we already have a note on that – but perhaps it could be clarified:
Current note:
Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.

From: Gregg Vanderheiden <>
Sent: Monday, August 22, 2022 11:53 AM
To: Alastair Campbell <>
Cc: w3c-waI-gl@w3. org <>
Subject: Re: Accessible authentication Updates

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

No objection — but we should include a note that "allowing passwords to be pasted in - does not require that the person remember a password"    or some other wording that
a) does not sound like we just suddenly are not allowing any passwords to be use on the web (that will create a quick firestorm) and
b) stops the practice of blocking the pasting of passwords into a field (thus requiring a heavy cognitive memory task that can be very difficult for many really good strong passwords)

Gregg Vanderheiden<>

On Aug 22, 2022, at 2:09 AM, Alastair Campbell <<>> wrote:

Hi everyone,

I don’t think we’ve had any concerns about these updates, but I’ll state them concisely here.

Firstly, some fairly editorial updates:

2. Clarify Accessible Authentication by including "remembering user names and passwords" in the SC text #2577

Most people agree with the addition, with a couple of suggestions to put it in parenthesise and include at the AAA level. PR 2609<> has been updated to reflect that.

There was a concern about the term “cognitive function test”, but for want of a better alternative, they could live with it.

Does anyone object to PR 2609<> which adds: (such as remembering a password or solving a puzzle) to both versions?

3. Editorial update to accessible-auth exception #2608

Tobias made a suggestion which several people agreed with (and doesn’t change the meaning), so I’ve updated PR 2608<> to reflect that.

Any objections to that update?

New issue 2

I don’t think there’s a separate issue for it, but in a couple of places people have raised that: identifying content the user has provided to the website could include passwords.

To resolve this, I’m proposing we use “non-text content” in the exception, and remove ‘text’ from the note. This is implemented in PR 2624<>.

Any objections?

Then a more substantial re-structure:

New issue 1

In the thread of Issue 2592<> EricE proposed to re-structure the SC text so it uses bullet-points for the exceptions AND the alternative  & mechanism aspects.

To keep it aligned with the current meaning I suggested it use a structure more like the alt-text SC:

The question at this point is: Do people think that improves the SC and no-one would object?

If anyone objects, we’ll shut-down that approach now rather than take time on it but I couldn’t see a problem with it.

Kind regards,



@alastc /<>

Received on Monday, 22 August 2022 16:00:50 UTC