Clarify exception in Accessible Authentication #2592
Comments
awkawk
added
the
3.3.7 Accessible Authentication
|
@lseeman can you take a look at this? |
|
I stumbled over this yesterday, too. I read it as “objects or content provided to the website” which makes little sense. If you want to allow CAPTCHAs where you identify “objects”, I think this needs a sensible normative definition of objects. “Select Stop signs” might be acceptable, but what if the question is “sort beans from lentils”? It needs a lot of more knowledge. I also wonder if the “provide content to the website” is useful at all from a security perspective? When I log in using my email and then pick from an image, of one that I have uploaded, that makes logging in somewhat guessable. If you have ten items presented, and one is the one you uploaded, you have a 10% chance of impersonating a user. That's bad. Also would that really help someone, for example, with memory loss? I support fully @awkawk’s suggestion to be much more explicit with the exception and using a bullet for every exception. |
That is the intent of the exception. Those types of captchas are used to prevent abuse by bots and I don't think we can completely ban those.
We've come across logins where they ask you to select the picture you uploaded, presented amongst 4 other pictures. Recognising something you provided didn't seem like a CFT on the scale of transcribing random numbers. I think your initial read was correct. |
Ah, I see, so that is what this line in the Understanding document means: "Recognizing objects, or a picture the user has provided is a cognitive function test, however, it is excepted at the AA level." If that is the case then I think that the fix is simple: |
|
@awkawk — I like where you are going with the exception, but please write a stand-alone sentence similar to the pattern used by other 2.1/2.2 exceptions. Maybe: Exception: Cognitive function tests can conform by asking the user to recognize common objects or content which the user provided to the website. |
|
@bruce-usab I was looking at other exceptions:
I think that we want to clarify that certain types of cognitive function tests are ok, so I was using the first bullet example above as the model but don't really care. I think that your text suggests a way for CFTs to conform but that feels different than saying certain CFTs are exempted. |
That's left over from before we separated the AA & AAA versions. I'll create a PR from your suggestion above. |
|
@awkawk — you are correct to note that 2.1 SC 1.4.13 does not follow the pattern of the other two.
So I am hardly in position now to complain about 2.2 SC 3.3.7 and its use of |
|
What about something like this:
This would allow to order the exceptions by preference. And the “no exception” version would work without points 3 and 4. |
This wording would allow sites to use tests based on content provided by the user (e.g. letters within a word they provided) rather than allowing to users to recognise the content provided by the user. So this would lead to widening the exception in a way that was not intended. |
|
What about:
|
|
I try to simplify the language a little more:
|
|
I may be used to the usual way of structuring SCs, but I find that takes longer to parse mentally. It also means a CFT can be used in a step, not all steps (if you follow the logic through). |
|
I did restructure the sentences a couple of times, and you're right, that was unintentional.
(English being not my first language makes this sometimes hard because there is so much in the nuances in WCAG. I am sure a professional writer could find way better ways to say this.) |
|
That looks very good. I really like it.
One sticky bit. An oscilloscope is a real world object. As is an Otoscope
So "real world" is objective but maybe not what we mean.
However, "Common objects" is a problem too. What is common in one country, or culture, or SES, may not be in another….
Does anyone have a good / better adjective than "real world"?
What types of objects are "common" in any country and culture?
Gregg
Gregg Vanderheiden
***@***.***
… On Aug 16, 2022, at 2:43 PM, Eric Eggert ***@***.***> wrote:
I did restructure the sentences a couple of times, and you're right, that was unintentional.
Cognitive function tests are not used in any step during an authentication process, unless any of such tests provide or more of the following:
An authentication method which does not rely on a cognitive function test.
A mechanism that assists the user in completing any cognitive function tests.
Cognitive function tests rely only on distinguishing real world objects.
Cognitive function tests where the user identifies content provided by themself.
(English being not my first language makes this sometimes hard because there is so much in the nuances in WCAG. I am sure a professional writer could find way better ways to say this.)
—
Reply to this email directly, view it on GitHub <#2592 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACNGDXQWN3K36TV3IPPZU63VZQDQXANCNFSM56IH5MUA>.
You are receiving this because you are subscribed to this thread.
|
|
@yatil in your numbered list, I think (3) and (4) need to be exceptions, not parallel to the good choices. I am also not sure about (1) because it seems of the form: If you do x then do not do x. |
Yes, I think that term needs a definition. (Or a different term that is clearer, but I'm lost there.)
I think all four are bad choices, to be honest. The only good choice is to not have a cognitive function test. And for conformance, it is irrelevant if you meet the success criterion with a good or a bad choice. Understanding can clarify what is the best practice here. I find exceptions generally annoying as they usually feel like afterthoughts. "Do x but if you do y, nevermind, forget what I said."
Happy for suggestions, but I am unsure how to say "if there is an authentication method with a cognitive function test, provide a way to authenticate without one" otherwise. |
We went around the houses on X/Y/Z objects, and the best option all around was just to keep it as a broad "objects" without qualifier. (Best in this case means accepted by the COGA TF and testers.) If we re-structured it without bumping into issues we've already been through, I think it would need to be something like:
(My only addition is the "non-text content" in the last bit to eliminate confusion about passwords.) Having done that mental exercise, I tend to agree with Bruce: Even if they are all "bad" options, the first two were much more acceptable to those affected, and it helps to convey that difference. |
That does not really clarify what an “object” is. Is a pedestrian crossing an object? Is a letter? Is a letter an object if it is cast into metal? I think “object” is far too vague.
I generally like that direction. Maybe change the second summary point to ”Assistance”.
I mean that the two options are unavailable in AAA makes that point. If we really want to discourage them, this should be a Level A criterion and the stronger point as a AA criterion. |
Vague / broad, that's ok in this case I think. The dictionary definition is "a material thing that can be seen and touched." So an image would represent it on screen, but it implies a real-world thing rather than text. I've asked on list if anyone objects to this approach, given we're tight on time I don't want to spend time on this if it won't go anywhere. |
|
Taking a try at 3.3.7:
I am not understanding the need for an alternative authentication method -- since that follows immediately from This formulation allows 3.3.8 AAA No Exception version to remain as-is or it could be:
|
True, I think the formulation came from how things normally are: The default auth methods rely on password / transcription, and you have to select an alternative. It helps bridge from what people know to what is being required here. So this formulation looks simpler, I'm not sure if it would be in practice. I don't know, I'm interested in others thoughts. |
|
Revisiting this old issue, but as I've been working on some more paraphrased/expanded versions of this SC for internal documentation, I've found myself wondering why object recognition and personal content are not treated/split out as exceptions, as that's what they effectively are? So something along the lines of
or is there a particular nuance I'm missing here with this particular arrangement? To me, it makes it slightly easier to grok, but perhaps i'm in the minority... |
The exception in SC 3.3.7 Accessible Authentication has a small structural problem. First off, it isn't written as a grammatically correct sentence, which is unlike other exceptions that aren't bulleted lists. Second, the comma sets the two halves apart from each other and suggests that they are not related.
Current:
Exception: When the cognitive function test is to recognize objects, or content the user provided to the website.
So this could be understood as:
The first bullet would be an issue if we are trying to avoid "click all of the images containing stop signs" type challenges. The understanding document indicates that this would be a cognitive function test, so the grammar of the exception potentially allows all of those again.
The second bullet is now ok (still not a sentence) in that it is exempting content that the user provided which will be familiar.
Trying to reconcile these, I am asking myself, "what is an object that a user provides to a web site?" I can't come up with anything - do we need that part? Can someone clarify why?
Here's my suggested rewording:
Exception: The cognitive function tests ask the user to recognize content that the user provided to the website.
Thoughts? Am I missing something?
The text was updated successfully, but these errors were encountered: