Success Criterion 3.3.8: Accessible Authentication (Minimum) (Level AA)

[ferBonnin]

From 3.3.8: Accessible Authentication (Minimum):

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following:

Alternative
Another authentication method that does not rely on a cognitive function test.
Mechanism
A mechanism is available to assist the user in completing the cognitive function test.
Object Recognition
The cognitive function test is to recognize objects.
Personal Content
The cognitive function test is to identify non-text content the user provided to the Web site.

"Object recognition" and "Personal content" may be represented by images, video, or audio.
Examples of mechanisms that satisfy this criterion include:

1. support for password entry by password managers to reduce memory need, and
2. copy and paste to reduce the cognitive burden of re-typing.

Guidance When Applying Success Criterion 3.3.8 to Non-Web Documents and Software

• This applies directly as written, and as described in Intent from Understanding Success Criterion 3.3.8(also provided below).

Note Device passwords, used to unlock a device, are out of scope for this requirement as these are not up to the author.

[ferBonnin]

From #42.
Also adding a reference to the issue related to the note

[maryjom]

Copying Phil's proposed note into the issue with the overall draft for 3.3.8:

Proposed note for discussion:

Note: Systems that are designed for shared use (such as in a public library) are out of scope for this requirement, as the user will not have access to applications that allow them to auto-complete content.

Note: Some closed systems, particularly those that handle financial transactions, have a requirement for a personal identification number (PIN) for authentication. This is a security requirement set down by the banking industry, and currently there is no globally acceptable alternative to the PIN for some systems (e.g. card payment terminals and ATMs). These systems are therefore out of scope for this requirement as users must use their PIN (either the digits themselves, or the spatial location of the digits on the keypad) in order to meet the security requirements.

[maryjom]

The content for the SC problematic for closed functionality section on 3.3.8 and notes for the Applying SC 3.3.8 section reached consensus on 15 February. The rest was agreed upon on 1 February. Incorporated with PR #305.

[maryjom]

Closing this issue and will keep the other one until the AG WG reviews/approves the content for this SC.