Accessible Authentication: Does copy-paste or autofills pass? #1292
Comments
alastc
added
3.3.7 Accessible Authentication
|
I think the crux here is whether copy-paste is a recognised method of bypassing the need to transcribe a set of numbers/characters. In the example above I've not seen that short-cut myself (where the phone grabs the numbers out of a text message), I wonder how wide-spread & reliable that is? |
|
iOS provides me the option to paste codes from text messages on my iPhone. It appears as an option above the keyboard on screen. |
|
this would be iOS specific, so not something that can be generally relied on. it's essentially an OS addition to the more general concept of copy/paste operations (iOS "preloads" your clipboard with / automatically copies what it guesses is a confirmation code in a text message, and lets you paste it easily, i a single operation). if the concept of copy/paste is disallowed (which I'd say would be far more restrictive), then this niceness in iOS makes no difference overall (as you couldn't say "offer these various authentication alternatives...oh except on iOS) |
|
It is supposedly supported on Android 9 as well,
I think that @alastc is correct, though.
This is just the system making the copy-paste quicker. But the underlying question is whether or not there is a cognitive test when one can access the platform on a system which would allow the code to be copied and pasted and thus bypass any cognitive test. |
|
@mraccess77 that might be why I haven't seen it, I use a custom keyboard. Overall, I don't think the website can know what system all their users will have, so it doesn't seem like a reliable thing. If copy/paste is ok, that's the core, and a good question to get the experience of the cognitive task force (I have emailed this question). |
alastc
changed the title
|
The PR has been approved, please re-open if you think it has not been addressed sufficiently. |
Reviewing 3.3.7: Accessible Authentication, TFA appears to be in scope. For example, "A web site that requires 2-factor authentication allows for multiple options for the 2nd factor, including a USB-based method where the user simply presses a button to enter a time-based token.".
However, with mobile websites, you can autofill OTPs that are sent via SMS. So there is no cognitive requirement. But this is specific to someone accessing the website on mobile.
That said, more broadly, on mobile the user may have an authentication app. In this case, they just need to go to the app, copy the code, and paste it into the website.
On desktop, the user may just have to copy and paste code from an email. I don't know if this would be in scope. I would guess if the email is just a link ("click this link to activate your account"), it would not be in scope. So would it be in scope if they had to copy a code from the email and paste it into a field, to perform the same task.
The text was updated successfully, but these errors were encountered: