User Authentication Methods

User Authentication Methods: A user authentication method is offered that does not rely upon a user's ability to memorize information; recall information from memory; speak; or mentally process presented or recalled information beyond the mental processes that are required to use a simple web page.

An alternative user authentication is available for users who are unable to use the primary user authentication method, unless it can be shown that all users have access via the primary method. This alternative user authentication method does not rely upon the user's ability to do any of the following:

  • memorize character strings, including memorizing correct spellings; or
  • perform calculations, such as including correctly identifying and entering numbers and letters from a character string; or
  • speak; or
  • reliably produce gestures; or
  • recognize characters presented on screen, and then enter them into an input field.

Exception: A user identification method, which relies on one of the above abilities, can be the alternative method if an ability is essential to make effective use of the content accessed via the user authentication method.

Suggestion for Priority Level


Related Glossary additions or changes

A simple web page is a page with simple text; a simple search; and clearly marked links and buttons.


What Principle and Guideline the success criterion falls within.

This topic is directly related to Principle 2 "Operable", as failure to successfully overcome user authentication barriers will mean that users are unable to access and make use of underlying content.


The intent of this success criterion is to ensure that, if users are able to make use of content they are seeking, they do not encounter a barrier that prevents them from accessing it.

Most user interfaces are designed to help users complete tasks. However, traditionally, web security and privacy technologies intentionally introduce barriers to task completion. They require users to perceive more and to do more to complete tasks.

Many user authentication methods rely upon trying to differentiate between a human, and software (bots) that try to pose as a human. The most common way of trying to make this distinction is by the setting of tasks that rely upon human abilities, and that are almost impossible for software (bots) to perform. These methods can frequently be quite challenging for people who have a high level of relevant ability. For people who have a lower level of relevant ability, an authentication task often presents an insurmountable barrier.

An alternative user authentication method is required for users who are temporarily or permanently unable to use the primary user-authentication method. One important example is where users would be unable to use a primary user authentication method, such as when they do not have a suitable trusted device, or if they are not subscribed to or are unable to access third-party services (often part of user authentication methods), which would meet the criteria for primary user-authentication methods.

The six abilities that are referred to in the alternative success criterion are those that are frequently employed as user authentication methods. The SC asks for the availability of at least one method that does not rely upon any of these abilities being offered.


Without this success criterion, many people cannot use an application or content at all. See Security and Privacy Technologies issue paper for the full description of this issue, and how it stops people from using web services that are often critical. Many people cannot make doctors appointments, etc., by themselves. This may be partly responsible for the reduced life expectancy of people with learning and cognitive disabilities.

With this success criterion, people who are able to use a primary user authentication method will be able to successfully complete a user authentication procedure almost irrespective of the level of their cognitive abilities. Those who have to use an alternative method will be able to successfully complete a user authentication even though they have limited levels of the cognitive abilities specified in the success criterion.


Related Resources

Issue papers:


See also



Test option 1: Check if one of the user authentication methods offered conforms to sufficient techniques for primary authentication below, and if there is an alternative authentication method that conforms to sufficient techniques for alternative authentication.


Test option 2: Inspection of user authentication methods offered by a web service to determine there is one available that does not contain tasks that are dependent on a user's cognitive abilities to memorize information; recall information from memory; speak; or mentally process presented or recalled information beyond the mental processes that are required to use a simple web page.; and inspection of alternative methods to determine whether they involve the human abilities specified for alternative methods.

Note: Option 1 is simple to check for developers. It is provided as an easy way to quickly test. We should identify all know conformant security mechanism and most developers can simply use one.

However some developers may need a different method, or maybe developing their own security. In this unusual case they will need to understand cognitive abilities and what tasks depend on the ability to memorize information; recall information from memory; speak; and mentally process information. To help them we have the issue paper and research document that explains these functions in detail.

Having these two methods allow most developers to easily conform and developers pioneering new security to conform, although time and effort may be required.


Using the web authentications specification may enable full compliance for primary and secondary methods. But, we need to confirm this when it gets to CR. A technique may be written to show how to use it in a conforming way.

Other methods of meeting the requirements for primary user authentication would include:

  1. Automatic user authentication based upon the use of a trusted device (to which the user has already logged in with their own identity);
  2. biometrics;
  3. being already logged in to third-party authentication services (e.g., OAuth, Facebook, etc.).

Methods of meeting requirements for alternative user authentication would include:

  1. Clicking a link sent to an email address or a phone number; (Note that this is easy to implement and may be useful for minimal security, such as allowing comments on a blog)
  2. Logging in by using information present in users' personal documentation, such as the total number of a current account balance, with explanation on how to find this information.

Note more techniques are anticipated.

Working group notes

We had a discussion of whether an alternative user authentication method should be included, as banks and others may find it too hard.

We concluded it was okay because they can provide an alternative, easy to use method, such as a USB key.

However, we could add an exception for the alternative user authentication, which we will need to define, for highly-sensitive data.