Re: [EXT] Re: Accessible authentication Updates from Jennifer Strickland on 2022-08-23 (w3c-wai-gl@w3.org from July to September 2022)

From: Jennifer Strickland <jstrickland@mitre.org>
Date: Tue, 23 Aug 2022 12:56:50 +0000
To: Rain Michaels <rainb@google.com>, Gregg Vanderheiden RTF <gregg@raisingthefloor.org>
CC: Jonathan Avila <jon.avila@levelaccess.com>, "w3c-waI-gl@w3. org" <w3c-wai-gl@w3.org>
Message-ID: <SA0PR09MB7002FA4EAD0A8F2DB8F49260B0709@SA0PR09MB7002.namprd09.prod.outlook.com>
Agree with the recommendations here, and with the “cognitive function test” point.

Love Rain’s bullets.

A bit of wordsmithing to improve readability… I’m worried memorization may be unfamiliar — as it is considered at the Post-graduate level. In order for our guidelines to meet WCAG Level AAA 3.1.5<https://www.w3.org/WAI/WCAG22/Understanding/reading-level.html> — without having to provide supplemental content, we could copy-edit a bit.

The full text was Grade 12. This rewrite is Grade 8:

  *   support for password entry by password managers to reduce memory need, and
  *   copy and paste to reduce the cognitive burden of re-typing.

For Reference
Success Criterion 3.1.5 Reading Level<https://www.w3.org/TR/WCAG22/#reading-level> (Level AAA): When text requires reading ability more advanced than the lower secondary education level<https://www.w3.org/WAI/WCAG22/Understanding/reading-level.html#dfn-lower-secondary-education-level> after removal of proper names and titles, supplemental content<https://www.w3.org/WAI/WCAG22/Understanding/reading-level.html#dfn-supplemental-content>, or a version that does not require reading ability more advanced than the lower secondary education level, is available.

From: Rain Michaels <rainb@google.com>
Date: Tuesday, August 23, 2022 at 6:25 AM
To: Gregg Vanderheiden RTF <gregg@raisingthefloor.org>
Cc: Jonathan Avila <jon.avila@levelaccess.com>, w3c-waI-gl@w3. org <w3c-wai-gl@w3.org>
Subject: [EXT] Re: Accessible authentication Updates
I really like Gregg's suggestion to add clarity with "that satisfy this SC."

I also agree with his point that "cognitive function test" is an awkward (and complicated!) way to describe what these are. They aren't actually testing cognitive function, but instead requiring cognitive function skills to test the user's authenticity.

I can live with not changing this much now, given the goals and scope of this effort. If, however, we think it's worth addressing, here is an attempted rewrite (put into list form to help me visually process):
Examples of mechanisms that satisfy this SC include:

  1.  support for password entry by password managers to minimize requiring memorization abilities, and
  2.  copy and paste to minimize the cognitive burden of transcription.



On Mon, Aug 22, 2022 at 6:57 PM Gregg Vanderheiden RTF <gregg@raisingthefloor.org<mailto:gregg@raisingthefloor.org>> wrote:
Nice. Covers it well.

We might just add  context in the lead in  (shown in bold)  to make it stand by itself a bit better.   Just editorial though.  And it can be tweaked for accuracy.

Current note:
Examples of mechanisms that satisfy this SC include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.


However I do wish we could stop using "cognitive function test" for things that are not tests of cognitive function - but rather things that are just functions that require cognitive burden or memory.     It bends my brain to call copying a password into the field as being a ’test of cognitive function’.      But as I said - if we can’t think of a better term - I can live with it.

Best

Gregg Vanderheiden
gregg@vanderheiden.us<mailto:gregg@vanderheiden.us>




On Aug 22, 2022, at 9:00 AM, Jonathan Avila <jon.avila@levelaccess.com<mailto:jon.avila@levelaccess.com>> wrote:

Hi Gregg, we already have a note on that – but perhaps it could be clarified:
Current note:
Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address the transcription cognitive function test.

Jonathan
From: Gregg Vanderheiden <gregg@vanderheiden.us<mailto:gregg@vanderheiden.us>>
Sent: Monday, August 22, 2022 11:53 AM
To: Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>
Cc: w3c-waI-gl@w3. org <w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>>
Subject: Re: Accessible authentication Updates

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

No objection — but we should include a note that "allowing passwords to be pasted in - does not require that the person remember a password"    or some other wording that
a) does not sound like we just suddenly are not allowing any passwords to be use on the web (that will create a quick firestorm) and
b) stops the practice of blocking the pasting of passwords into a field (thus requiring a heavy cognitive memory task that can be very difficult for many really good strong passwords)




Gregg Vanderheiden
gregg@vanderheiden.us<mailto:gregg@vanderheiden.us>



On Aug 22, 2022, at 2:09 AM, Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>> wrote:

Hi everyone,

I don’t think we’ve had any concerns about these updates, but I’ll state them concisely here.

Firstly, some fairly editorial updates:

2. Clarify Accessible Authentication by including "remembering user names and passwords" in the SC text #2577

Most people agree with the addition, with a couple of suggestions to put it in parenthesise and include at the AAA level. PR 2609<https://github.com/w3c/wcag/pull/2609/files> has been updated to reflect that.

There was a concern about the term “cognitive function test”, but for want of a better alternative, they could live with it.

Does anyone object to PR 2609<https://github.com/w3c/wcag/pull/2609/files> which adds: (such as remembering a password or solving a puzzle) to both versions?


3. Editorial update to accessible-auth exception #2608

Tobias made a suggestion which several people agreed with (and doesn’t change the meaning), so I’ve updated PR 2608<https://github.com/w3c/wcag/pull/2608/files> to reflect that.

Any objections to that update?


New issue 2

I don’t think there’s a separate issue for it, but in a couple of places people have raised that: identifying content the user has provided to the website could include passwords.

To resolve this, I’m proposing we use “non-text content” in the exception, and remove ‘text’ from the note. This is implemented in PR 2624<https://github.com/w3c/wcag/pull/2624/files>.

Any objections?


Then a more substantial re-structure:

New issue 1

In the thread of Issue 2592<https://github.com/w3c/wcag/issues/2592> EricE proposed to re-structure the SC text so it uses bullet-points for the exceptions AND the alternative  & mechanism aspects.

To keep it aligned with the current meaning I suggested it use a structure more like the alt-text SC:
https://github.com/w3c/wcag/issues/2592#issuecomment-1217758169

The question at this point is: Do people think that improves the SC and no-one would object?

If anyone objects, we’ll shut-down that approach now rather than take time on it but I couldn’t see a problem with it.

Kind regards,

-Alastair

--

@alastc / www.nomensa.com<http://www.nomensa.com/>
Received on Tuesday, 23 August 2022 12:57:06 UTC