Could certain authentication flows be essential exceptions from 2.2.1 Timing Adjustable?

[jayde]

For my app there are multiple flows that are locked down tight with specific timeouts to keep a user's account or identity secure.

Example flows

• Password resets
  For example, you click the link from the email and then have 20 minutes to input a new password in the web app, otherwise the session expires and you have to click the email link again to start over.
• Login
  For example, you submit your email and then are asked to input your password. You have 5 minutes to put in your password otherwise the session expires and you have to start again.
• Authentication app dependancies
  For example, when trying to login you need to input an authenticator code within 30 seconds otherwise the code expires. In this case the life of an authentication code is determined by a 3rd party app, but our flow could could also have a timeout that a correct code needs to be entered within 5 minutes.

Rationale

The amount of time you have to complete a step in a flow, or the whole flow itself, is essential to keeping your identify/account secure. Allowing users to turn off, adjust, or extend the time would invalidate the activity of securely changing your password, or securely logging into an app, etc.

Am I correct in thinking that the scenarios presented are essential exceptions? Thanks!

[nattarnoff]

@jayde IF these are exceptions, you still have a problem with your flows from a WCAG 2.2 perspective due to 3.3.8 Accessible Authentication.
Authentication apps mostly require the user to transcribe from the app or sms into the site. That's not permissible under 3.3.8. Cognition tests "such as remembering a password or solving a puzzle" are not allowed anymore unless one of the following are provided:

• Alternative: Another authentication method that does not rely on a cognitive function test.
  

• Mechanism: A mechanism is available to assist the user in completing the cognitive function test.
  

• Object Recognition: The cognitive function test is to recognize objects.
  

• Personal Content: The cognitive function test is to identify non-text content the user provided to the Web site.
  

[jayde]

@nattarnoff Thank you so much for the response so far and for pointing out the potential gaps due to 3.3.8 Accessible Authentication. I will review my proposed flows to make sure that we are compliant with 3.3.8, but would like to focus my question on 2.2.1 Timing Adjustable.

Is there a way to get a definitive answer as to whether or not my flows are exceptions to 2.2.1 Timing Adjustable?

[nattarnoff]

@jayde In my opinion, I think scenario 1 is ok for timing adjustable, because they can request the code again. For the authenticator, as long as they can enter the code currently present on their authenticator when they fill it in, you should be ok. This does mean that they have more than 30 seconds.
Your login scenario is a straight fail.

[jayde]

@nattarnoff Thanks for your responses, very helpful.

[patrickhlauke]

A late rejoinder, but a recent addition to the understanding document may clarify this situation:

Certain time limits implemented for security reasons, such as time-based / time-limited two-factor authentication tokens, can be considered essential, and may be exempt from this criterion. However, other criteria may apply, such as 3.3.7 Redundant Entry, 3.3.8 Accessible Authentication (Minimum), and 3.3.9 Accessible Authentication (Enhanced) may also apply.

#4382