WCAG (Level AAA) SC 2.2.5 Re-authenticating (w3.org)
Issue description
WCAG 2.2.5, “Re-authenticating” addresses the frustration and barriers that re-authentication requirements can create for users, especially those with cognitive disabilities or who rely on assistive technologies.
Many websites require users to re-authenticate their identity after a period of inactivity. This often involves:
- Logging back in: Entering their username and password again.
- Completing a CAPTCHA: Solving a CAPTCHA challenge to prove they are human.
- Two-factor authentication: Entering a code from their phone or another device.
While re-authentication can be important for security, it can present challenges for some users:
- Cognitive disabilities: Users with cognitive disabilities, such as memory impairments, might have difficulty remembering their login credentials or completing complex authentication steps.
- Users of assistive technologies: Re-authentication can be time-consuming and disruptive for users of assistive technologies, especially if the authentication process is not fully accessible.
- Loss of data: If users are not warned about impending re-authentication, they might lose unsaved data when they are automatically logged out.
WCAG requirements
This guideline requires that when re-authentication is required, the user should be:
- Warned: Given ample warning before being logged out.
- Given options: Provided with options to extend their session or save their data.
- Supported: Supported in re-authenticating, such as by providing clear instructions or offering alternative authentication methods.
Exceptions
- Security requirements: Re-authentication is allowed when it is essential for security reasons, such as accessing sensitive information.
Essentially, this guideline aims to minimize the disruption and barriers associated with re-authentication. It ensures that users are warned about impending logouts, have options to extend their session or save their data, and receive support in completing the re-authentication process. This promotes a more user-friendly and inclusive experience for everyone.
Related requirements
The following WCAG source criteria are often related to this as well. They can provide additional insights into specific challenges you may be encountering.
- WCAG (Level A) SC 2.2.1 Timing Adjustable
- WCAG (Level AAA) SC 2.2.3 No Timing
- WCAG (Level AAA) SC 2.2.4 Interruptions
- WCAG (Level AAA) SC 2.2.6 Timeouts
Who this issue impacts
Follow the links for additional information on user impairments:
Suggestions for remediation
Remediating WCAG 2.2.5, “Re-authenticating” involves minimizing the burden and potential barriers associated with re-authentication processes. Here’s how:
Provide ample warning
- Clear notifications: Give users clear and advance warning before their session expires and they are required to re-authenticate.
- Sufficient time: Provide enough time for users to react to the warning and take action, such as saving their work or extending their session.
- Visual and auditory cues: Use both visual and auditory cues to alert users about the impending re-authentication.
Offer options to extend or save
- Extend session: Provide a simple way for users to extend their session, such as clicking a button or pressing a key.
- Save progress: Offer a way for users to save their progress or data before being logged out. This could be an automatic save feature or a clear “Save” button.
Support re-authentication
- Clear instructions: Provide clear and concise instructions on how to re-authenticate.
- Accessible authentication: Ensure the re-authentication process is accessible to users with disabilities, including those who use assistive technologies.
- Alternative authentication methods: Offer alternative authentication methods, such as biometric login or magic links, which can be easier for some users.
Minimize re-authentication frequency
- Longer session timeouts: Increase the duration of session timeouts to reduce the frequency of re-authentication.
- Remember me option: Offer a “Remember me” option that allows users to stay logged in for longer periods.
Testing
- Test with different scenarios: Test the re-authentication process in different scenarios, such as with and without assistive technologies.
- User testing: Conduct user testing with people with cognitive disabilities to get feedback on the usability of the re-authentication process.
Examples
- Session timeout: Display a modal dialog 10 minutes before the session expires, with options to “Extend Session” or “Save and Logout.”
- Re-authentication form: Provide clear labels and instructions for each field in the re-authentication form. Ensure the form is compatible with screen readers and other assistive technologies.
- Two-factor authentication: Offer alternative methods for receiving the authentication code, such as email or a time-based one-time password (TOTP) app.
By implementing these techniques, you can make re-authentication less disruptive and more accessible for all users, especially those who may struggle with cognitive challenges or assistive technology use.
