Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.3.7 - Are system-level tests out of scope? Are PINs and Passwords synonymous? #1900

Closed
ghost opened this issue Jun 13, 2021 · 2 comments · Fixed by #1909
Closed

3.3.7 - Are system-level tests out of scope? Are PINs and Passwords synonymous? #1900

ghost opened this issue Jun 13, 2021 · 2 comments · Fixed by #1909
Labels
3.3.7 Accessible Authentication deprectated - use 3.3.8 Accessible Authentication (Minimum) Survey - Ready for Understanding WCAG 2.2

Comments

@ghost
Copy link

ghost commented Jun 13, 2021
edited by alastc
Loading

The success criterion notes that

"Remembering a password is a cognitive function test.".

Later on, it talks about

The user's device could use any available modality. Common methods on laptops and phones are facial-scan, fingerprint, and pin number.

My understanding in this instance is that the technique is referring to a website agnostic PIN. For example, the PIN of their iPhone, rather than the PIN of the website.

Just that if I am right about the PIN, presumably remembering your device password is out of scope. For example, Safari might ask you to type into your device password after trying to use the OS FaceID or Touch ID.

As well, it's common for banking website to have their own PIN numbers. So I think the line to draw here is the distinction between domain passwords and PINs (a website) and operating-system passwords and PINs.

Personally, I would consider defining "password" in the 'key terms" section.

In this context of this success criterion, a password is any input required from the user by the author.

This could be a password with alphanumeric characters and symbols, numerical PIN, file upload, API token, memorable phrases, and so on.

When the author requires inputs form the user, such that they can authenticate themselves, it is a password.

I would also consider adding an exception for OS passwords. For example:

For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.

Except when the cognitive test is required by the operating system ands is unmodified by the author.
@alastc alastc added 3.3.7 Accessible Authentication deprectated - use 3.3.8 Accessible Authentication (Minimum) WCAG 2.2 labels Jun 15, 2021
@alastc
Copy link
Contributor

alastc commented Jun 15, 2021
edited
Loading

Proposed response:

presumably remembering your device password is out of scope

Indeed, that is not up to the author.

I would consider defining "password" in the 'key terms" section.

We generally try not to define what is effectively a dictionary term, we don't mean anything different from the standard definition of "a secret word or phrase that must be used to gain admission to a place."

I wonder if just refining the bit that triggered your confusion would help? E.g.

Remembering a site-specific password is a cognitive function test.

@ghost
Copy link
Author

ghost commented Jun 16, 2021

Makes sense to me.

@alastc alastc mentioned this issue Jun 16, 2021
Merged
@ferBonnin ferBonnin mentioned this issue Nov 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.3.7 Accessible Authentication deprectated - use 3.3.8 Accessible Authentication (Minimum) Survey - Ready for Understanding WCAG 2.2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding site-specific to understanding w3c/wcag
1 participant
@alastc