New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WCAG 2.2 SC - Accessible Authentication #1037
Conversation
Hi @alastc , 3 headings in the Understanding Doc refer to "Focus Visible" instead of "Accessible Authentication":
|
The understanding document focuses exclusively on login type scenarios
what about more general situations where a CAPTCHA is presented? for instance, posting a comment on a blog - and the form may include a CAPTCHA there? while some aspects of this scenario will be already covered by other SCs (e.g. 1.1.1 for those "type in the scrambled text you see here" type scenarios for instance), others won't. and while i agree (and i believe, discussed at length in the past) this type of thing is not "authentication" per se, it would be good to cover this more broadly as a requirement for cases other than logins. also noting that just the email example as a technique essentially doesn't allow two-factor authentication (as emails are not generally secure enough) |
Thanks for catching the headings & email typo.
I remember the comments, but no one has been able to come up with a useful scope. The key scenario the TF were interested in was logging in, so that was the focus. Widening it to any process could capture a lot of scenarios, and I don't think anyone has investigated what those would be. |
Hmm, from a security point of view most systems allow you to change your password via email, so I wouldn't say it is "not secure enough" as a general statement. That technique could be combined with a 2nd factor, we didn't want complicate it, but you could have a 2nd factor after the email link logs you in as a first factor. There is another technique (to do) about combining the other techniques as part of 2 factor auth. |
…g22-accessible-auth # Conflicts: # guidelines/index.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pushed a couple fixes and this is ready to go from my perspective. The technique will need an ID and reference from Understanding when it's merged.
the current wording of the normative SC could also apply to scenarios not tied to login (and in the understanding, "a task" could be posting a blog comment). basically, that an alternative is available. might need expanding from "authentication" to something more like "authentication and verification". separately, would be good to have a normative definition of "authentication process" perhaps? |
Sensitive systems (e.g. banking) do generally require a second factor. Be it an SMS sent to you with an access code (that you then have to type in/copy ... is that allowed under the wording of this SC?), using a physical card reader where you put in your bank card, or similar.
The 2nd factor would be at some point before allowing the user to change the password in the first place. The link takes you to the second challenge before letting you go an actually change the password and log in. I just want to make sure this SC doesn't (inadvertently) try to force less secure solutions |
This is the PR for the new SC, a fairly straightforward addition of:
Transferred from the draft SC Google doc and technique doc.
Preview | Diff