WCAG 2.1 Success Criterion 1.3.5: Identify Input Purpose: Passwords

[shawnthompson]

We need a best practice on using autocomplete on all form elements, including usernames and passwords.

I think this there's different roles at play here.

1. The developer adding in the autocomplete HTML attribute needed to comply with WCAG 2.1 criterion.
2. The **user ** who has to add their information in a mechanism that allows HTML forms to autofill.
3. ITSEC who can block those mechanisms and not allow users to use autofill (not recommended because many users rely on autofill).

In the end, ITSEC and guidance does not and should not stop developers from adding autocomplete to their web applications.

The ownness is on the user to handle their information and allow autocomplete to be used.

In my experience, many departments are having the same issue still. ITSEC turning off their autocomplete mechanisms for their employees and the accessibility testing doesn't test for autocomplete therefore allowing web application to be developed that don't conform to WCAG 2.1 (government standard).

This might be something we post on the Digital Accessibility Toolkit (DAT) as a best practice.

CC: @rubydo, @andrewnordlund

[shawnthompson]

Some references that might help with a solution:

• Let them paste passwords
• Using HTML 5.2 autocomplete attributes

Quote from WCAG technique

Security considerations

Organizations can be concerned about allowing input fields to be automatically filled-in. There is sometimes confusion about how browsers save information and the security implications.

For the autocomplete attribute:

• This technique should only be used when asking for data about the user who is filling the form in, not for other people.
• It only works if you are on the same computer, using the same user-account, and using the same browser. Any multi-login scenario does not save autocomplete data between different accounts. (Users can setup syncing of data across computers, but that is not the default.)
• Saving information with autocomplete is opt-in by the user, usually at the point of saving data the first time.
• The form is not auto-submitted, the user can see the data before it is submitted.
• It is easy to wipe both history and form data in the browser settings.
• It is easy to engage a privacy mode, such as private browsing.
• Even without autocomplete set in the webpage, browsers can save data, and some plugins (such as password managers) will aggressively use heuristics to guess what fields are for and fill them in. Using the autocomplete attribute makes those guesses accurate.

The browser history provides far more detail about what people have done, and is just as available as autocomplete data. The solutions/mitigations for browser-history are similar to autocomplete.

[RababGomaa]

Here is the view of IT security with respect of use of Autocomplete <input autocomplete="on"> for passwords.

• Autocompete of passwords is treated like browser-based passwords managers which are considered a security concern ref Password Managers-Security (ITSAP.30.025)
• The security risk is increased when autocomplete is used for protected B information
• The recommendation is to use user password managers that require two‑factor authentication

[RababGomaa]

Here is what I suggest for compliance with WCAG 1.3.5

1. Evaluate two factor authentication for accessibility (Consultation with ITSecurity teams would ensure that the solution chosen is in alignment with security).
2. Unify the password management across the organization e.g. use of GCKey for internal/external for all new apps with the aim of reducing the cost of retrofitting later when a solution is in place.

Thoughts? @shawnthompson @andrewnordlund

Re1) I posted on the W3C WCAG GitHub an issue about it
Autocomplete for passwords is discouraged for security concerns (WCAG 2.1 Success Criterion 1.3.5) #2110

[shawnthompson]

As discussed in the Access Working Group meeting, we will write something up and work with ITSec to either link to it in their documents or add a little blurb about it.

Stay tuned

[mmiron-HC]

@shawnthompson / @RubyDo any movement on this?

[shawnthompson]

Wow nothing on my end. To be honest this feel off my radar. Thanks for checking in on this. We are working on the launch for the end of May and are not looking at the discussions or writing anything for the site until we get the current content updated and organized.

Are you getting push back from ITSec about using the autocomplete attribute?

Thanks again for light a little fire. This is something very important.

[mmiron-HC]

@shawnthompson I am anticipating pushback. This is why I was hoping to get guidance.