Inspecting WCAG 2.2: accessible authentication
A GOV.UK Design System workshop
Welcome!
We’re recording the session today.
Feel free to take screenshots of slides, but not your fellow attendees.
GDS
This is a safe space for learning.
Please be kind, and feel free to speak openly.
GDS
Vibe check
GDS
Meeting hygiene:
Please stay on mute unless talking.
Use the ‘Raise Hand’ option in the Reactions menu during discussion times.
GDS
Find out about our GOV.UK Design System
events.
GDS
Our plan for today
GDS
All of today’s links and resources can be found in our workshop Google Doc.
GDS
Our facilitators today are:
GDS
What is WCAG 2.2?
WCAG is an acronym for:
Web Content Accessibility Guidelines
GDS
Version 2.2
GDS
Basically, it’s an expansion pack!
GDS
What are the 9 new criteria?
GDS
WCAG 2.2 is now published as a full recommendation!
GDS
The UK Government’s accessibility monitoring body will start checking services and websites against WCAG 2.2 a year after the recommendation published.
So… October 2024!
GDS
Our team, the GOV.UK Design System, plan to update our codebase and guidance within 6 months of WCAG 2.2 being published.
So… by April 2024!
GDS
About this workshop series
This workshop series was developed for a few reasons.
GDS
Reason 1:�
Some criteria in WCAG 2.2 can be complicated to test for.
GDS
Reason 2:
�Service teams in the UK Government will need to do more than just update to the latest version of GOV.UK Frontend.
GDS
Reason 3:
�We want to make sure we base our GOV.UK Design System updates on solid inspections and interpretations.
GDS
We’re covering 3 criteria.
Focus not obscured
Target size
Authentication
The ‘learning’ portions of the 3 workshops will be published to the Government Digital Service YouTube channel.
(...Once we clean up the captions and transcripts)
GDS
Today’s workshop will be interactive and involves:
GDS
Accessible Authentication explainer
Courtesy of the Accessibility Monitoring team
Accessible authentication (AA)
Logging in must not rely on a cognitive test.
GDS
Examples of inaccessible authentication:
GDS
Examples of accessible authentication:
GDS
It’s OK to use a less accessible method as long as an accessible alternative is provided.
GDS
There’s also a AAA version of accessible authentication where object recognition and user-provided content aren’t allowed.
GDS
The quick-check for Accessible Authentication
Courtesy of me
WCAG 2.2 Success Criteria 3.3.8 and 3.3.9
Accessible Authentication
If there’s a login process with:
…Those are clues! It may be worth taking a closer look.
GDS
The deep-dive for Accessible Authentication
Courtesy of WCAG and me
The actual text from criterion 3.3.8:
“A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process…”
GDS
There’s 4 exceptions in criterion 3.3.8:
“...unless that step provides at least one of the following…”
GDS
Provide an alternative
“Another authentication method that does not rely on a cognitive function test.”
GDS
Provide an assistive mechanism
“A mechanism is available to assist the user in completing the cognitive function test.”
GDS
Use object recognition (won’t pass AAA)
“The cognitive function test is to recognize objects.”
GDS
Use personal content (won’t pass AAA)
“The cognitive function test is to identify non-text content the user provided to the Web site.”
GDS
WCAG 2.2 includes two ‘understanding’ documents for Accessible Authentication.
They explain some of the intent and other potentially helpful information for the ‘minimum’ and ‘enhanced’ success criteria.
GDS
The tragic reveal:
‘Accessible Authentication’ in WCAG is strictly limited to logins.
GDS
Just because you can apply the word ‘authentication’, that doesn’t mean WCAG 2.2 ‘Accessible Authentication’ applies.
GDS
As far as I can tell…
And correct me if I’m wrong…
It does not appear to apply in many cases.
GDS
The Accessible Authentication (minimum) understanding document says:
GDS
“ Goal
Make logins possible with less mental effort.”
GDS
“ What to do
Don’t make people solve, recall, or transcribe something to log in.”
GDS
“ Why it's important
Some people with cognitive disabilities cannot solve puzzles, memorize a username and password, or retype one-time passcodes.”
GDS
Those 3 points pretty much sum it up.
But what does this mean?
Many non-login processes could potentially remain ‘out of scope’ and inaccessible.
GDS
It’s still worthwhile and important to make logins accessible, but does this leave out?
GDS
Sign-up and registrations don’t count. 😞
GDS
CAPTCHAs outside of logins don’t count. 😿
GDS
IDs for ‘authentication’ don’t count. 😔
GDS
According to both the AA and AAA levels of ‘Accessible authentication’, we only need to make logins more accessible.
GDS
So we could leave it at that…
Or break the rules a bit. 😉
GDS
Let’s break the rules a bit. 🔨
GDS
Okay but also,
make logins accessible.
GDS
There’s generally 4 areas where accessible authentication comes up in login processes:
GDS
1. Entering credentials into inputs
GDS
2. A legitimate human request
GDS
Some alternatives to CAPTCHA include:
GDS
3. A request from a specific human
GDS
4. Multi-factor authentication
GDS
Notes on CAPTCHA 🤖
GDS
Warning: mild spice ahead 🌶️
GDS
Both the AA and AAA levels do technically allow the use of CAPTCHAs…
…but most of the common CAPTCHA tools aren’t going to meet the AAA level.
GDS
“Recognizing objects, or a picture the user has provided is a cognitive function test; however, it is excepted at the AA level.”
GDS
Also, the allowance of CAPTCHAs at all within ‘accessible authentication’ doesn’t mean that CAPTCHAs are inclusive.
They, by design, create barriers for people with cognitive accessibility needs.
GDS
The main point:
Having a CAPTCHA sit inside a login process doesn’t make it any more or less inaccessible. So why treat logins differently?
GDS
In this case, I recommend not letting WCAG dictate how far your team goes in building accessible services.
Make the whole journey accessible.
GDS
A bonus CAPTCHA note from the ‘understanding’ document:
The criterion still applies to CAPTCHAs that only appear sometimes (like after entering a password incorrectly multiple times).
GDS
End of CAPTCHA thoughts.
GDS
Summing up:
‘Accessible Authentication’ makes login experiences better and more accessible.
But the lessons here extend beyond logins.
GDS
My personal plan:
Pretend ‘accessible authentication’ applies to all forms of authentication.
GDS
Why that’s my plan:
Authentication processes, wherever they are:
GDS
5 mins: Questions, clarification and knowledge-sharing
Inspection tips
Try out the full login process for yourself.
Make note of any points of increased effort or ‘ugh, now I have to think’.
GDS
Interact with inputs
GDS
Look for ‘cognitive tests’
GDS
Use the ‘inspector’ browser tools to see if inputs are built properly.
In particular, autocomplete= attributes.
GDS
Demonstration of an inspection
5 mins: Questions, clarification and knowledge-sharing
Today’s workshop breakout activity
Each team gets an example service
Each service has 1 sign-up and 1 login
GDS
I recommend also having the ‘Understanding’ document pulled up for reference
GDS
In your groups:
GDS
Step 1:
Test out the sign-up process and determine if anything stands out as related to ‘accessible authentication’.
Record results of the sign-up test.
GDS
Example notes area
GDS
Step 2:
Inspect the login processes to see if it passes ‘Accessible Authentication (minimum)’, based on the success criterion language and the draft ‘understanding’ document.
Record results of the login inspection.
GDS
Step 3:
Check agreement in the group before moving on.
Consensus isn’t needed, but record any doubts and try to resolve them.
GDS
Time to break out and workshop it!
Take note of the link in the chat.
Regroup and share insights
Please stay on mute unless talking.
Use the ‘Raise Hand’ option in the Reactions menu.
GDS
Thank you so much for participating!
More resources
Web Accessibility Initiative:
GDS
Relevant blog post:
How we are improving inclusion for digital identity in government
“The very biggest government services have to cater for everyone in society and therefore can’t adopt an identity solution that isn’t inclusive.”
GDS
GOV.UK Design System GitHub tickets:
GDS
Final questions�and ideas
Wrap-up and retro
David Cox dav-idcox on LinkedIn
Steve Messer
Government Digital Service�