WCAG 2.0 Understanding Page

Intent

The intent of this success criterion is to ensure that, that users do not encounter a barrier that prevents them from accessing content that they could otherwise use.

Most user interfaces are designed to help users complete tasks. However, traditionally, web security and privacy technologies intentionally introduce barriers to task completion. They require users to perceive more and to do more to complete tasks.

Web security and privacy technologies often block people with cognitive and/or physical disabilities who may not be able to:

discern text they are required to enter and submit;
recall text or instructions they have seen or heard;
follow multi-step procedures.

The scope of the problem is vast because, for examples, people with disabilities:

are prevented from purchasing goods and registering for services on the millions of websites that employ web security and privacy technologies;
may circumvent web security and privacy technologies with insecure techniques/methods;
may become so frustrated working through web security and privacy technologies that they relinquish their efforts, and thereby are thwarted from purchasing goods and registering for services;
may be unable to become accustomed to a web security and privacy technology because there are multiple versions of it across websites.
may be afraid to trust a web site, thus causing them to cancel a transaction.

Many user authentication methods rely upon trying to differentiate between a human, and software (bots) that try to pose as a human. The most common way of trying to make this distinction is by the setting of tasks that rely upon human abilities, and that are almost impossible for software (bots) to perform. These methods can frequently be quite challenging for people who have a high level of cognitive ability. For people who have a disability or cognitive disability such as dementia, an authentication task often presents an insurmountable barrier.

Benefits

The benefit of this success criteria is it allows people with cognitive and learning disabilities to use many important sites. Long changing passwords and other difficult authentication procedures prevent many people from using critical services. For example, people cannot make doctors appointments by themselves and often put off making a doctor appointment as not to be a burden to other people.. This may be partly responsible for the reduced life expectancy of people with learning and cognitive disabilities.

With this success criterion, people who are able to use a primary user authentication method will be able to successfully complete a user authentication procedure almost irrespective of the level of their cognitive abilities. Those who have to use an alternative method will be able to successfully complete a user authentication even though they have limited levels of the cognitive abilities specified in the success criterion.

Examples

As a user who has memory impairments and often forgets passwords, I need to be able to use a site, without remembering or copying passwords and usernames, so that I can use this service.
As a user who has impairments, I need to be able to use a site without being required to copy items in the correct sequence.
As a user who has weak executive function, I need the login process to be simple, and not multi-step, so that I can use it.
As a symbol user, I need a login process I can use.

Techniques

Sufficient

Allowing the user to reset a password by pressing a link sent to them in an SMS or email.sms, which brings the user to a page that displays either the:
- current username and/or password; OR
- suggested new username and/or password; OR
- opportunity to create a new username and/or password
Compiling to https://www.w3.org/TR/webauthn/ and allowing one component method such as biometrics or tokens (Possibly reword this to be more clear)
Automatic user authentication based upon the use of a trusted device (to which the user has already logged in with their own identity);
Security tokens, some of which are hardware devices, can be used to make authentication easier. Security tokens are used instead of, or in addition to, other forms of authentication such as passwords. Security-token hardware devices:
- include key fobs, rings, or small keypads;
- can store and/or generate a digital signature, a PIN, or biometric data;
- can transmit such data via a USB connector, RFID, Bluetooth wireless, or NFC.
biometrics;
being already logged in to third-party authentication services (e.g., OAuth, Facebook, etc.).
Fast IDentity Online (FIDO), password-free standards for typical and two-factor authentication.
- FIDO relies upon user authentication based upon a user's device (e.g., phone, tablet, computer).
- A user's device registers the user, to a server, via a public key.
- Upon a challenge from the server, the user's device responds with a private key.
- The device's keys are unlocked by the user biometrically (e.g., fingerprint scanner) or by a button press, not by a password.

Understanding Accessible Authentication

Intent

Benefits

Examples

Resources

Techniques

Sufficient