WCAG 2.2 became official in October 2023. The majority of the guidelines are simply enhancements to existing standards such as “Focus Appearance”, or common-sense things like “Focus Not Obscured”. The one much-needed addition in 2.2 is with regards to methods of authentication. Like most of the guidelines, it’s a little murky, so here’s a few bullet points that explain it in simple language.
At the AA (minimum) Level:
- Don’t make users complete tests (like 2 + 3 = ?) to login
- Don’t disable users’ ability to copy and paste usernames and passwords
- Don’t disable autocomplete for username and password fields
The AAA Level (enhanced) adds the following requirement:
- Don’t make users complete CAPTCHAs, such as “click on all of the images containing a motorcycle” or “click on all images containing a traffic light”
That’s all well and good, and it’s long overdue. But I don’t think it goes far enough. Here’s why:
CAPTCHAs are horrid for EVERYONE, not just people with disabilities. First of all, the directions are often vague and open to interpretation. For example, does the person on the motorcycle count? Does it include the traffic light post and base, or just the illuminated part? Secondly, the images are often difficult to see, particularly on mobile devices. I have pretty decent eyesight (thanks to retinal and laser surgery), but I still regularly fail CAPTCHA tests, sometimes repeatedly. Below is an actual size screenshot I captured of an CAPTCHA I encountered recently on my phone. To add context for non-sighted users, there is a prompt asking the user to select all of the images containing motorcycles, and there is a series of tiny thumbnails inside of a scrolling div. A couple of the photos have been taken from so far away, it’s almost impossible to determine if they have motorcycles in them without zooming in:
It can be argued that the fact that the images are contained within a scrolling area also violates SC 1.4.10:Reflow (Level AA), as it requires users to scroll in two directions. But I digress.
X (formerly Twitter) now requires users to pass TWELVE image recognition tests before they can register a new account. I understand the company’s need to combat bots, but that’s a bit ridiculous. And we know from experience that most companies tend to only follow the AA standards, so CAPTCHAs and image recognition tests are likely to stick around for a long time to come.
The other thing I would like to have seen in 2.2 is this:
“Provide a mechanism for users to stay logged in until they choose to log out”
Very few things frustrate me more than having to enter a “verification code” every time I log into a website.
I was also very disappointed to see that the New Rule on the Accessibility of Web Content and Mobile Apps Provided by State and Local Governments specifies that entities only have to comply with WCAG 2.1 AA rather than 2.2, because it means we are going to have to continue to live with the horrors of inaccessible authentication for an unknown period of time. One can only hope that people strive to stay ahead of the curve, and in this case follow the 2.2 AAA guidelines.