Understanding Accessible Authentication (Enhanced)

In brief

Goal

Make logins possible with less mental effort.

What to do

Don't make people recognize objects or user-supplied images and media to login.

Why it's important

Some people with cognitive disabilities can't do puzzles, including identifying objects and non-text information they previously supplied.

Intent of Accessible Authentication (Enhanced)

The purpose of this Success Criterion is to ensure there is an accessible, easy-to-use, and secure method to log in, access content, and undertake tasks. This criterion is the same as Accessible Authentication (Minimum) but without the exceptions for objects and user-provided content.

Any required step of the authentication process:

• cannot display a selection of images, videos, or audio clips, where users must choose which image they provided;
• cannot display a selection of images, where users must choose the images which contain a specific object, such as a car.

Benefits of Accessible Authentication (Enhanced)

The benefits of this Success Criterion are the same as Accessible Authentication (Minimum).

People with cognitive issues relating to memory, reading (for example, dyslexia), numbers (for example, dyscalculia), or perception-processing limitations will be able to authenticate irrespective of the level of their cognitive abilities.

Examples of Accessible Authentication (Enhanced)

The examples of this Success Criterion are very similar to the Accessible Authentication (Minimum) examples.

• A web site uses a properly marked up username (or email) and password fields as the login authentication (meeting Success Criterion 1.3.5 Input Purpose and Success Criterion 4.1.2: Name, Role, Value). The user's browser or integrated third-party password manager extension can identify the purpose of the inputs and automatically fill in the username and password.
• A web site does not block paste functionality. The user is able to use a third-party password manager to store credentials, copy them, and paste them directly into a login form.
• A web site uses WebAuthn so the user can authenticate with their device instead of username/password. The user's device could use any available modality. Common methods on laptops and phones are facial-scan, fingerprint, and PIN (Personal Identification Number). The web site is not enforcing any particular use; it is assumed a user will set up a method that suits them.
• A web site offers the ability to login with a third-party provider using the OAuth method.
• A web site that requires two-factor authentication allows for multiple options for the 2nd factor, including a USB-based method where the user simply presses a button to enter a time-based token.
• A web site that requires two-factor authentication displays a QR code which can be scanned by an app on a user's device to confirm identity.
• A web site that requires two-factor authentication sends a notification to a user's device. The user must use their device's authentication mechanism (for example, user-defined PIN, fingerprint, facial recognition) to confirm identity.

Techniques for Accessible Authentication (Enhanced)

Resources

• Cognitive Accessibility Gap Analysis Topic 1: Authentication and Safety
• Cognitive Accessibility Issue Papers 4. Web Security and Privacy Technologies and Web Security and Privacy Technologies
• Making Content Usable for People with Cogntive and Learning Disabilities 4.7.1 Provide a Login that Does Not Rely on Memory or Other Cognitive Skills
• Security and Privacy Technologies issue paper from the Cognitive Task Force.
• WebAuthN specification.
• Web Authentication API on MDN.
• WebAuthN Demo site.
• OAuth on Wikipedia.
• "Let them paste passwords", from the UK's National Cyber Security Centre