Accessible authentication will be a new success criterion in WCAG 2.2

Note: This post is older than two years. It may still be totally valid, but things change and technology moves fast. Code based posts may be especially prone to changes...

(Read 527 times)

Authentication will also be a part of WCAG, at least it is planned to be an level AA success criterion in the WCAG version 2.2 when it will be officially published. Nevertheless – I think standardization of authentication will benefit a lot of people.

You have probably experienced strange logins in some solutions, especially when they totally surprise you with some new patterns you have to learn before you can login. Luckily those are not so popular and with better user experience research and designs understanding the importance of smooth and secure logins I really hope they will be even better.

But sometimes authentication can be a really difficult task and I am happy that the new Web Content Accessibility Guidelines (WCAG version 2.2 and currently still not officially finished) will try to make it more standardized, so that users of all abilities will have an easier time to login to online systems.

What does success criterion nr. 3.3.7 – Accessible Authentication mean for us?

Current draft of Understanding Success Criterion 3.3.7: Accessible Authentication (opens in new window) will be a level AA success criterion and it may change or even be removed when final WCAG 2.2 is published, but it is still worth studying. Making login experiences simpler makes a lot of sense for all kinds of online services and have a giant impact for everybody. People with disabilities are not an exception.

Current text of success criterion goes like this: “For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.”

So first we must define what this cognitive function test really is. The page is defining such tests as a task that needs the user to remember usernames, passwords and in some cases even sets of characters, images or patterns. I like to think of typical username and password flow where I need to know my username and password. But this also covers additional checks that may be there in parallel, to prevent automatic scripts and bots to brute force into systems – so called captchas, simple mathematical problems, “how many traffic lights you see” and so on.

Basically I like to think about this success criterion as a standardization that will make logins more universal, simpler and predictable. I came to this conclusion when reading about sufficient techniques;

  • properly marked up forms with username and password fields (that make it possible to use password managers, for example),
  • using special links sent to emails that do not need to remember anything but email addresses (and access to the email),
  • third party login that uses for example oAuth (you have probably used login with Google, Facebook or other providers),
  • WebAuthn as alternative (new standard API that is using public-key based credentials),
  • at least two possibilities for two-factor authentication (for example SMS on mobile or email link)

So this is very technical but it basically means that it will be possible to use your favorite password manager (or maybe just your browser) to login where there is username and password required. And that you will have the possibility to copy paste the password if you will want to. It surely makes it easier when that is possible but on the other hand you will need to have a trustworthy password manager (preferable over saving credentials into browser).

WebAuthn (opens in new window) is as mentioned new standard API based on public-key credentials and it will basically mean that we will be able to use our phones to log in to online services on our laptops or desktops. For example using PIN numbers, fingerprints, face recognition and so on. Multiple possibilities that can sometimes make it easier to login and most importantly based on user preferences, giving multiple options.

Authentication standardization is again beneficial beyond accessibility

I like to believe that this kind of standardization will also be beneficial to overall usability and maybe even security, depending on implementation. Having multiple options, like for example using biometrics through sensors on our mobile devices when possible will make it easier to access protected services for more people.

Offering multiple, secure, login options will benefit more people but of course providers will need to adapt to their user base as well. But making it more standardized and accessible will for sure benefit more people. Who does not want a simpler login process that feels similar throughout the web?

Author: Bogdan Cerovac

I am IAAP certified Web Accessibility Specialist (from 2020) and was Google certified Mobile Web Specialist.

Work as digital agency co-owner web developer and accessibility lead.

Sole entrepreneur behind IDEA-lab Cerovac (Inclusion, Diversity, Equity and Accessibility lab) after work. Check out my Accessibility Services if you want me to help your with digital accessibility.

Also head of the expert council at Institute for Digital Accessibility A11Y.si (in Slovenian).

Living and working in Norway (🇳🇴), originally from Slovenia (🇸🇮), loves exploring the globe (🌐).

Nurturing the web from 1999, this blog from 2019.

More about me and how to contact me: