‘Accessible Authentication’ must avoid authenticating users through memory, transcription or cognitive tests without alternatives.
Although it can be important to authenticate users, those with cognitive impairments may have difficulty with remembering passwords or typing in one-time codes.
Some users will be unable to recall a password or series of gestures to access their accounts and require help or alternative means to authenticate.
How to Pass ‘Accessible Authentication’
If you are authenticating a user, avoid:
- asking for a memorised password; and
- requiring them to type in certain characters; and
- making the solve any kind of puzzle, calculation or test.
You can ask a user to complete a cognitive test if you also provide:
- an alternative authentication method that doesn’t require a test; or
- help for the user in completing the test; or
- a test which requires the user to identify objects; or
- a test which requires the user to identify non-text content they provided previously.
‘Accessible Authentication’ Tips
Where you use multi-factor authentication, each stage of the process must comply.
Password recovery processes must also meet this guideline.
Personal information such as an email address or phone number is fine to use, as this is consistent across all website and unique to the user.
Supporting password autofill and password managers is providing help.
Further help could be allowing copy and paste into password fields to reduce re-typing.
Enable users to toggle hidden characters on and off, for example when typing in a password.
Avoid asking for certain characters from a password as this means the user cannot use copy and paste.