Understanding Accessible Authentication

Accessible Authentication Success Criteria text

AA

If an authentication process relies on a cognitive function test, at least one other method must also be available that does not rely on a cognitive function test.

Cognitive function test definition

A task that requires the user to remember, manipulate, or transcribe information. Examples include, but are not limited to:

memorization, such as remembering a username, password, set of characters, images or patterns;

transcription, such as typing in characters;

use of correct spelling;

performance of calculations;

solving of puzzles.

Remembering your own name, email address, or phone number is not considered a cognitive function test.

Intent of Accessible Authentication

The purpose of this success criterion is to ensure there is an accessible, easy-to-use, secure method to log in and access content. Most websites rely on usernames and passwords for logging in. Memorizing a username and password (or transcribing it manually) places a very high or impossible burden upon people with certain cognitive disabilities.

Cognitive function tests are known to be problematic for many people with cognitive disabilities. Whether it is remembering random strings of characters, a pattern gesture to perform on a touch screen, or identifying which images include a particular object, this form of test will exclude some people. When a cognitive function test is used, that at least one other authentication method must available which uses does not use a cognitive function test.

Websites can employ username (or email) and password inputs as an authentication method if it meets Success Criterion 1.3.5 Input Purpose and password managers / browser functionality is not blocked. When properly marked up, browser features or password managers can save the user’s information and refill the login.

If there is more than one step in the authentication process, such as with multi-factor authentication, all steps should comply with this success criterion. There should be a path through authentication that does not rely on cognitive function tests.

Examples of Focus Visible

A website uses a properly marked up email and password as the login authentication.
A website uses WebAuthn so the user can authenticate with their device instead of username/password. The user’s device could use any available modality. Common methods on laptops and phones are facial-scan, fingerprint, and pin number. The website is not enforcing any particular use, it is assumed a user will setup a method that suits them.
A website offers the ability to login with a 3rd party provider using the OAuth method.
A website that requires 2-factor authentication allows for multiple options for the 2nd factor, including a USB-based method where the user simply presses a button to enter a time-based token.

Techniques for Focus Visible

Sufficient Techniques for Accessible Authentication

Email link authentication
@@ Providing a properly marked up email and password inputs.
@@ Providing WebAuth as an alternative to username/password.
@@ Providing a 3rd party login using oAuth.
@@ Using two techniques provide 2 factor authentication.