WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: Accessible authentication and "transcription"

for

Number of posts in this thread: 9 (In chronological order)

From: Damon van Vessem
Date: Sun, Oct 08 2023 1:19PM
Subject: Accessible authentication and "transcription"
No previous message | Next message →

Greetings,

I have a question about 3.3.8 Accessible Authentication (AA), specifically
about 'transcribing” information. Let's say a user is trying to sign in on
their laptop and a 2-factor mechanism requires them to use one-time code
received/generated on their phone. Is this an acceptable solution, since it
requires them to type (transcribe?) the code on their laptop?

Thanks!
Damon

From: Patrick H. Lauke
Date: Sun, Oct 08 2023 1:26PM
Subject: Re: Accessible authentication and "transcription"
← Previous message | Next message →

On 08/10/2023 20:19, Damon van Vessem wrote:
> Greetings,
>
> I have a question about 3.3.8 Accessible Authentication (AA), specifically
> about 'transcribing” information. Let's say a user is trying to sign in on
> their laptop and a 2-factor mechanism requires them to use one-time code
> received/generated on their phone. Is this an acceptable solution, since it
> requires them to type (transcribe?) the code on their laptop?

If they can only transcribe it manually, then that fails. There is some
gray area around the idea that they can potentially copy it on device,
then transfer it to their machine (for instance, emailing it over, or
with OS integrations that let you have a shared clipboard between devices).

P
--
Patrick H. Lauke

https://www.splintered.co.uk/ | https://github.com/patrickhlauke
https://flickr.com/photos/redux/ | https://www.deviantart.com/redux
https://mastodon.social/@patrick_h_lauke | skype: patrick_h_lauke

From: Peter Bossley
Date: Sun, Oct 08 2023 5:49PM
Subject: Re: Accessible authentication and "transcription"
← Previous message | Next message →

Note that if the code is only valid for a short period of time e.g. 30 seconds like some TOTPs that might be too short to be a valid argument under the copy - paste theory. This is something that I've raised as something the working group should clarify.


From: Geethavani.Shamanna
Date: Mon, Oct 09 2023 7:22AM
Subject: Re: Accessible authentication and "transcription"
← Previous message | Next message →

Interesting. The government (the National Savings and Investment) website here in the UK uses a type of authentication where the user receives a phone call. While on the call, the user has to type the code that appears on the computer screen into the phone. Finding the code used to be difficult, but they have now added an aria-live region, so the code is announced when it appears on the screen. I still think many screen reader users may struggle to get the code and input it on the phone within 10 seconds or whatever time the call remains active.

Geetha

From: Sonja Weckenmann
Date: Mon, Oct 09 2023 1:44PM
Subject: Re: Accessible authentication and "transcription"
← Previous message | Next message →

Hi Patrick,

> There is some gray area around the idea that they can potentially copy
it on device, then transfer it to their machine (for instance, emailing
it over, or with OS integrations that let you have a shared clipboard
between devices).


Do you know about an issue / discussio on that in the Working Group?
Would it rather be a pass than a fail? I think this may be a common use
case?

Thanks
Sonja


Am 08.10.2023 um 21:26 schrieb Patrick H. Lauke:
>
> On 08/10/2023 20:19, Damon van Vessem wrote:
>> Greetings,
>>
>> I have a question about 3.3.8 Accessible Authentication (AA),
>> specifically
>> about 'transcribing” information. Let's say a user is trying to sign
>> in on
>> their laptop and a 2-factor mechanism requires them to use one-time code
>> received/generated on their phone. Is this an acceptable solution,
>> since it
>> requires them to type (transcribe?) the code on their laptop?
>
> If they can only transcribe it manually, then that fails. There is some
> gray area around the idea that they can potentially copy it on device,
> then transfer it to their machine (for instance, emailing it over, or
> with OS integrations that let you have a shared clipboard between devices).
>
> P

From: Kevin Prince
Date: Thu, Oct 12 2023 4:03PM
Subject: Re: Accessible authentication and "transcription"
← Previous message | Next message →

My reading of the checkpoint is that is a fail as it requires transcription as part of the process.

Kevin

From: Alastair Veal
Date: Tue, Oct 17 2023 3:30AM
Subject: Re: WCAG 2.2 Accessible Authentication
← Previous message | Next message →

HI Everyone,

I wondered what you though of WCAG Web Content Accessibility Guidelines(WCAG) 2.2 (w3.org).  

As I understand it, we cannot use Google Recapture unless we provide an accessible alternative, such as email authentication…

 

Thanks,

 
Alastair Veal



|
|
|
| | |

|

|
|
| |
Web Content Accessibility Guidelines (WCAG) 2.2

Web Content Accessibility Guidelines (WCAG) 2.2 covers a wide range of recommendations for making We...
|

|

|




 

As I understand it, we cannot use Google Recapture unless weprovide an accessible alternative, such as email authentication…

 

Thanks,

 

Alastair Veal

From: Joshua Hori
Date: Tue, Oct 17 2023 8:45PM
Subject: Re: WCAG 2.2 Accessible Authentication
← Previous message | Next message →

I think it's great that they added that and look forward to new authentications. AI is getting around the captcha by using taskrabbit and having people to fill out the captcha for them, stating they were blind users. To top it off, we’ve had a big password manager leak occur and need a new way to authenticate users. Like the way https://freecodecamp.org logs people in. Put in your email and it sends you a link. No login, password, or captcha required and it's still able to track your progress.

Web 3 uses crypto wallets to login to sites, no additional authentication needed. Press connect button on site and confirm in your mobile wallet or browser extension. Additional interactions require you to approve them through your mobile wallet. Check out https://dework.xyz, a web 3 bounty board that uses crypto wallets or your discord account to login.

There are 2 things I would add. Additional guidelines for 2.5 Input Modalities.

2.5.9 AA – Multimodal Input (minimum)

Facetime comes to mind. You can only do audio/video chat, there is no text chatting capabilities for DHOH or neurodiverse individuals. Slack is another that comes to mind. You can do voice and text chat, but no video chat or screensharing for ASL or presentation purposes.

2.5.10 AAA – Multimodal input (enhanced)

Google glasses have shown they can convert American Sign Language (ASL) into text but isn't currently commercially available. Another instance would be typing/dictating in natural languages with conversion to local language. Google translate is getting better.

Best,

Joshua Hori



From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > on behalf of Alastair Veal via WebAIM-Forum < = EMAIL ADDRESS REMOVED = >
Date: Tuesday, October 17, 2023 at 2:30 AM
To: = EMAIL ADDRESS REMOVED = < = EMAIL ADDRESS REMOVED = >
Cc: Alastair Veal < = EMAIL ADDRESS REMOVED = >
Subject: [WebAIM] WCAG 2.2 Accessible Authentication
HI Everyone,

I wondered what you though of WCAG Web Content Accessibility Guidelines(WCAG) 2.2 (w3.org).

As I understand it, we cannot use Google Recapture unless we provide an accessible alternative, such as email authentication…



Thanks,


Alastair Veal



|
|
|
| | |

|

|
|
| |
Web Content Accessibility Guidelines (WCAG) 2.2

Web Content Accessibility Guidelines (WCAG) 2.2 covers a wide range of recommendations for making We...
|

|

|






As I understand it, we cannot use Google Recapture unless weprovide an accessible alternative, such as email authentication…



Thanks,



Alastair Veal

From: EMB Creative
Date: Wed, Oct 18 2023 6:20AM
Subject: Re: WCAG 2.2 Accessible Authentication
← Previous message | No next message

To address your question about auth requirements, seems like as long as
the password can be copied/pasted or input via password manager, the
criteria is met. Multi factor auth using email is one way to solve but not
the only way. I appreciate some of the examples mentioned by the previous
reply…

Cheers,
Emily

On Tue, Oct 17, 2023 at 3:30 AM Alastair Veal via WebAIM-Forum <
= EMAIL ADDRESS REMOVED = > wrote:

> HI Everyone,
>
> I wondered what you though of WCAG Web Content Accessibility
> Guidelines(WCAG) 2.2 (w3.org).
>
> As I understand it, we cannot use Google Recapture unless we provide an
> accessible alternative, such as email authentication…
>
>
>
> Thanks,
>
>
> Alastair Veal
>
>
>
> |
> |
> |
> | | |
>
> |
>
> |
> |
> | |
> Web Content Accessibility Guidelines (WCAG) 2.2
>
> Web Content Accessibility Guidelines (WCAG) 2.2 covers a wide range of
> recommendations for making We...
> |
>
> |
>
> |
>
>
>
>
>
>
> As I understand it, we cannot use Google Recapture unless weprovide an
> accessible alternative, such as email authentication…
>
>
>
> Thanks,
>
>
>
> Alastair Veal
>
> > > > >