New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WCAG 2.2 Accessible Authentication: clarification on whether this includes CAPTCHAs #1256
Comments
it's not memorization per se though. more pattern/image recognition. and would fail 1.1.1 already, most likely? |
That's mostly what I'm thinking about 1.1.1, but could the argument be made that image recognition relies on remembering what a traffic signal / pedestrian crossing / tree, etc. is? |
i'd say that's probably stretching the definition a bit. rather, if the definition intended to cover those type of CAPTCHAs, then a separate example/bullet should be added to the definition, as a different kind of cognition test, that explicitly calls this out (rather than trying to bend the logic of what memorization means) |
Agreed that it feels like a bit of a stretch. Maybe adding a note to the Understanding document that CAPTCHAs aren't relevant but are covered under 1.1.1 would be an idea. |
There are a number of ways to fail any of several WCAG guidelines. This example is but one way. The root problem in this example is that it seems to be the only available CAPTCHA test, and providing only one way to pass a CAPTCHA is as fundamental a failure as accepting only mouse clicks--but not key presses. Please note that W3C published an updated Note: Inaccessibility of CAPTCHA in 2019. APA has requested that AGWG sync up 2.2 with the guidance in that note, but that seems to have gotten lost in other work? |
the point is whether 2.2 accessible authentication does or doesn't cover CAPTCHAs in general, or CAPTCHAs that involve shape/image recognition (not "memorization" per se), and if the answer is yes, that the "cognitive function test" normative definition should really spell this out too. while yes, that definition doesn't need to show all possible types of cognitive function test, the fact that it's not clear whether CAPTCHAs/these types of CAPTCHAs count or not is a good reason to either explicitly include (if it was intended to be covered) or exclude (if not) them in the definition - otherwise we'll end up with exactly the sort of conversation we're having here, among web devs out in the wild ("does this cover this CAPTCHA or not?") |
Hi All. I am the primary author of the Accessible Authentication SC, its understanding doc, and its issue paper. Yes, the intention, since I wrote the original issue paper in 2014, has always been to cover CAPTCHA. That is clear in the most recent issue paper. John |
Hi All. About whether or not the presentation of CAPTCHA images constitute a cognitive function test: Research has shown that, for people with learning disabilities, CAPTCHA images can cause confusion in part because they can be interpreted as having different meanings. John |
in which case, this could really do with being made explicit in the understanding document / the normative glossary definition for "cognitive function test" https://www.w3.org/WAI/WCAG21/Understanding/accessible-authentication as currently that's not clear |
There are quite a few different types of captcha and some are clearly covered by cognitive function test such as:
For the Google re-captcha approach that shows 9 images and says "pick the ones with taxis" (or something), I'm a little hesitant to say that would be covered by the definition. Partly because it showed 3 images with yellow New York cabs. I almost missed that due to cultural/localision issues (our taxis are black or blue). I.e. it's not very good for non-disability reasons as well. @JohnRochfordUMMS - I couldn't see anything in the paper about these image-recognition style CAPTCHAs? It seems a big stretch to call that "memorisation", or a "puzzle". It is also tricky because the type of question varies, it could be asking you to recognise bridges, or cars (which is simple enough?) but other questions might trip over cultural or other issues? Also, I'm afraid there are significant and legitimate business reasons for including a CAPTCHA. I run a website which includes registration and I've been through all the alternatives. There are bots which are scripted to:
It is whack-a-mole, and the site keeps getting banned from sending emails because the spam-bots generate so many registration emails to random addresses. That is enough of a problem to need to do something about it. In my case I'm considering removing automatic registration, but we only have ~2000 members, that wouldn't work at scale. Using a 3rd party service that is prepared to play whack-a-mole on my behalf is very tempting. The reason I bring that up is: What would they move to if this 9-square image thing were 'banned', and would that be worse? |
Hi @alastc. Yes, here is the research to which I previously referred: "CAPTCHA: Impact on User Experience of Users with Learning Disabilities". I'm sorry I can't help you with your website troubles. I guess it's not so good to be so popular! John |
but correct me if I'm wrong, this SC does not apply to registration (setting up a new account), or even things like comment forms on blogs or similar, but to an authentication process, i.e. login, no? the understanding document seems to support this too, as it talks at length about login. |
That's a fair interpretation: authentication is verifying the identity of a user (after registration). However, if a comment form on a blog requires authentication, as many do, the AA SC applies. John |
@JohnRochfordUMMS thanks, and that research said:
It seems like one of the better approaches, at least from a COGA point of view. There was another reference I can't get access to though. Oh, and it's not that the website is particularly popular, I think it happens to any site with a registration :-/ @patrickhlauke Good point, it is authentication, but I still come across logins with CAPTCHA occasionally, it's worth working out the answer about scope. |
@JohnRochfordUMMS - If a blog requires an email & CAPTCHA to comment, I don't think that's authentication because it does not take any action to establish your identity is correct. If you haven't registered information previously, how can it be authenticating that information? |
@alastc About the research, I made a mistake. I was referring to the article, "A User-friendly Image-Text Fusion CAPTCHA About the blog authentication, I am referring to the common practice of requiring authentication, typically through third-party services such as oAuth and OPENID, to mitigate/help reduce vitriolic comments. |
The specification notes that cognitive tasks can include:
While it might be stretching the definition, it notes "but are not limited to", implying that it can be stretched. And more generally, one could argue that from a cognitive POV, a no-brainer for someone else might be a puzzle for someone, such as myself, with short term working memory challenges. Since using autofill (thanks identify input purpose) I've noticed that I much more often see CAPTCHAs when logging into websites. In these cases, it seems like the authentification process would need some non-CAPTCHA alternative. But at the same time, non-text content says "However, [captchas] are widely used, and the Web Content Accessibility Guidelines Working Group believes that if CAPTCHAs were forbidden outright, Web sites would choose not to conform to WCAG rather than abandon CAPTCHA.". So it does seem like it needs to be a bit more clear and consistent between success criteria. And while I do struggle with them, I do not think that they should be outlawed at level AA (assuming at least two modalities). |
Noting there are other issues which will impact the definition of cognitive function test, I suggest a minor clarification in the understanding. Going back to the original question:
I think the conceptual difference between memorization/puzzles and the ReCAPCHA example is that the information needed is not specific to the site. I.e. Asking to recognize objects from everyday life is different from asking you to memorise something for this site. The only bit in the understanding that I think causes confusion is this line from the intent:
I suggest replacing "identifying which images include a particular object" with "performing a calculation". |
Hi everyone, after the discussion today it seemed like we agreed on the survey question, and the next step was to update the understanding document. I'm proposing this addition to the Intent section, any suggestions?
|
Wondering if "Recognizing common objects" isn't a bit subjective here? Anecdotally, I've heard of users being stumped by those ReCaptcha challenges that ask you to choose all the pictures with a taxi, but not realising that it's the classic US yellow taxis that were meant, which may not be obvious to, say, a UK user who is familiar with black cabs. |
I agree with @patrickhlauke. I think that @alastc is on the right track, but that the line between "recognizing a picture the website provided" and "Recognizing common objects" is subjective. It seems like it might seem something similar to Non-Text Content, where there is an explanation that CAPTCHA are a somewhat unique case and some normative steering (e.g. in scope for ones that are objectively cognitive tests, e.g. performing a calculation; but not for more fuzzy ones, e.g. object recognition, which are covered at AAA.). |
I've see a few issues with CAPTCHAs.
|
I did wonder about putting in a caveat about "cultural references". In the group discussion it was mentioned, but no-one argued when I said it should probably count as a non-accessibility issue, i.e. it affects everyone. Do you think it would help to add something like this?
|
@mraccess77 good points, but in this case we are trying to find the line of what is a cognitive functional test as it relates to CAPTCHAS. Crap captchas (e.g. the car vs van) affect everyone, although I'm sure it's a level-up if you have certain disabilities. It is fairly rare for a captcha to be used for authentication, they are usually on the registration. However, it is possible they can be used with logins (e.g. as a simple anti-dictionary attack method), or a variant can be used as a second factor. E.g. pick your cat picture out of these 9 pictures. Plus we already have 1.1.1 for the image case, I bet the taxi/van/car variants do not have suitable alt text! |
It my experience that CAPTCHAs for authentication pop up often after a few failed attempts. So you may not see them if you use a password manager or know your passwords. So we may need to consider this fact in our test procedure. |
Hi @mraccess77, good point, I also just came across one for gathercontent that pops up on-submit of your username/password, probably dependent on whether it thinks your are a bot or not. As I have some ad-blockers / privacy tools, I tend to trigger the "bot" part of that quite a lot! I think it's covered normatively, as any scenario which can bring up a captcha is in scope in general, but could you recommend some text for the understanding doc? |
Proposed wording for understanding doc |
The challenge I see with recognizing cmmon objects is that they are hidden in the environment. It's as simply as seeing an apple on a white background. It's a fire hydrant in the grass that is hidden next to vehicle with many other things in the picture meant to through off the user. Essentially even through the object is common it's really a cognitive test to sort out all of the other objects. |
PR ready for review in #1611 |
The SC states
The definition of "cognitive function test" includes:
Would a CAPTCHA implementation that involves "select all the pictures of traffic signals" (or similar) fall under memorization of images?
The text was updated successfully, but these errors were encountered: