As the next iteration of the international accessibility guidelines, WCAG 2.2, is scheduled to be released in December 2022, we decided to take a closer look one of the new additions.
3.3.7 Accessible Authentication (A) is one of the nine new success criteria in v2.2 and aims to help users with cognitive issues by requiring a simple-to-use, accessible, and secure method to log in.
As login and password requirements are proving to be a major accessibility issue let’s take a closer look at the success criterion and options to consider when making your website accessible…
The success criterion
Success Criterion 3.3.7 Accessible Authentication (Level AA): For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.
Why is it important?
Many sites require you to input a username and password to gain access or perform tasks. Remembering these details can be a struggle for many of us but may be impossible for people with certain cognitive disabilities.
Issues relating to memory, words or numbers can make it incredibly challenging to perform the ‘cognitive function test’ that is remembering and inputting login details. Repeatedly typing in or entering complex passwords can also be a burden for users with physical and visual impairments who may find it harder to correct mistakes once made.
Any errors that are made, can result in users being locked out of accounts, a state many might find distressing.
What are the solutions?
To ensure your account login is accessible and complies with this new success criterion, there are a few solutions available...
Allow password managers
Tools such as LastPass and Google Password Manager automatically fill in the username and password when you land on a website, doing away with the need to remember all your details and making it easier to login.
Allow copy and paste
Manually entering login details can be particularly hard for people with cognitive of physical disabilities who may prefer to copy and paste from a separate document. If a password can only be inputted manually this prevents people adopting this strategy and can make password entry a difficult, if not impossible, task. To make this job easier, do not restrict copying and pasting and consider giving users an option to see the characters inputted.
Allow third party authentication
Third party authentication allows people to login into a website using an account from another provider. For example, users might login with their Twitter, Facebook or Microsoft account when on a shopping website. This is another good alternative for people with disabilities who struggle to input their details as it does away with the need to remember yet another set of login details.
However, keep in mind some users may not have these accounts or want to log into them while using your website so this should always be offered in addition to another accessible solution.
Passwordless authentication
An obvious solution for overcoming the complexity of using passwords is to get rid of them altogether! Web authentication is one such solution, which requires no username or password. Instead, it recognises the user’s device and allows users to authorise actions through facial scanning, fingerprint recognition or entering a pin number (think accessing your banking app on your phone).
Providing accessible and easy ways to login to online accounts is critical for delivering an inclusive online world. So much of the digital space is behind login walls and people should not be prevented from getting there because of cumbersome login processes. Bear in mind that people have a lot of different needs so always provide at least two of the above options to ensure everyone can access your services.
Pause of thought: Two-factor authentication
Two factor or multifactor authentication (2FA or MFA) is important for ensuring online security. However, it also has the capacity to provide yet another hurdle for users to overcome. When using 2FA, giving users options can prevent further challenges.
For example, some users may prefer receiving a SMS text message, while some want an email. Providing both these options as standard reduces the risk of an accessibility barrier.
Be careful, however, that you are not creating further issues. SMS codes tend to have a time limit and are made up of numbers and letters. Both these features can pose potential problems that may stop people from proceeding with the process. For example, it might take longer than the allocated 10 minutes or assimilating letters and numbers is cognitively challenging.
Either way, balancing accessibility with security is likely to be an ongoing challenge so providing options and alternatives will be key to ensuring universal access to digital services.
