W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > July to September 2022

RE: Accessible authentication Updates

From: Jonathan Avila <jon.avila@levelaccess.com>
Date: Mon, 22 Aug 2022 16:00:34 +0000
To: "w3c-waI-gl@w3. org" <w3c-wai-gl@w3.org>
Message-ID: <BL1PR03MB6120B48E56084B18E438A341F1719@BL1PR03MB6120.namprd03.prod.outlook.com>
Hi Gregg, we already have a note on that – but perhaps it could be clarified:
Current note:
Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.

From: Gregg Vanderheiden <gregg@vanderheiden.us>
Sent: Monday, August 22, 2022 11:53 AM
To: Alastair Campbell <acampbell@nomensa.com>
Cc: w3c-waI-gl@w3. org <w3c-wai-gl@w3.org>
Subject: Re: Accessible authentication Updates

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

No objection — but we should include a note that "allowing passwords to be pasted in - does not require that the person remember a password"    or some other wording that
a) does not sound like we just suddenly are not allowing any passwords to be use on the web (that will create a quick firestorm) and
b) stops the practice of blocking the pasting of passwords into a field (thus requiring a heavy cognitive memory task that can be very difficult for many really good strong passwords)

Gregg Vanderheiden

On Aug 22, 2022, at 2:09 AM, Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>> wrote:

Hi everyone,

I don’t think we’ve had any concerns about these updates, but I’ll state them concisely here.

Firstly, some fairly editorial updates:

2. Clarify Accessible Authentication by including "remembering user names and passwords" in the SC text #2577

Most people agree with the addition, with a couple of suggestions to put it in parenthesise and include at the AAA level. PR 2609<https://github.com/w3c/wcag/pull/2609/files> has been updated to reflect that.

There was a concern about the term “cognitive function test”, but for want of a better alternative, they could live with it.

Does anyone object to PR 2609<https://github.com/w3c/wcag/pull/2609/files> which adds: (such as remembering a password or solving a puzzle) to both versions?

3. Editorial update to accessible-auth exception #2608

Tobias made a suggestion which several people agreed with (and doesn’t change the meaning), so I’ve updated PR 2608<https://github.com/w3c/wcag/pull/2608/files> to reflect that.

Any objections to that update?

New issue 2

I don’t think there’s a separate issue for it, but in a couple of places people have raised that: identifying content the user has provided to the website could include passwords.

To resolve this, I’m proposing we use “non-text content” in the exception, and remove ‘text’ from the note. This is implemented in PR 2624<https://github.com/w3c/wcag/pull/2624/files>.

Any objections?

Then a more substantial re-structure:

New issue 1

In the thread of Issue 2592<https://github.com/w3c/wcag/issues/2592> EricE proposed to re-structure the SC text so it uses bullet-points for the exceptions AND the alternative  & mechanism aspects.

To keep it aligned with the current meaning I suggested it use a structure more like the alt-text SC:

The question at this point is: Do people think that improves the SC and no-one would object?

If anyone objects, we’ll shut-down that approach now rather than take time on it but I couldn’t see a problem with it.

Kind regards,



@alastc / www.nomensa.com<http://www.nomensa.com/>

Received on Monday, 22 August 2022 16:00:50 UTC

This archive was generated by hypermail 2.4.0 : Monday, 22 August 2022 16:00:52 UTC