Create Password input component to help teams meet WCAG 2.2

[dav-idc]

What

Bring in a new variant for passwords that includes a 'show / hide' control.

Why

WCAG 2.2 success criterion 'Accessible Authentication (minimum)' states that:

"A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process..."

The understanding document also gives specific advice in the understanding document around showing passwords in password fields:

Hiding characters
Another factor that can contribute to cognitive load is hiding characters when typing. Although this criterion requires that users do not have to type in (transcribe) a password, there are scenarios where that is necessary such as creating a password to be saved by a password manager. Providing a feature to optionally show a password can improve the chance of success for some people with cognitive disabilities or those who have difficulties with accurately typing.

Epic lead

Beeps

Who needs to work on this

Developer(s), designer(s), accessibility specialist, our community

Who needs to review this

accessibility specialist

Kick-off

Preview Give feedback

1. Assign an epic lead
2. Arrange a scoping session to kick off 'show / hide' password variant #4090
   WCAG 2.2 passwords +2
   

   
3. Follow up session to complete scoping of 'show/hide' password work #4153
   WCAG 2.2 passwords +2
   

   
4. Gather examples and contributions for passwords govuk-design-system#3092
   WCAG 2.2 passwords +2
   

Discovery and alpha

Preview Give feedback

1. Talk to the DI team about show/hide password component #4222
   WCAG 2.2 passwords security +3
   

   
2. Create prototype show/hide password component #4225
   WCAG 2.2 passwords +2
   
3. Decide how we want the show/hide password component to be implemented #4512
   🔍 investigation +1
   
4. Gather requirements for changes to Design System password guidance govuk-design-system#3353
   WCAG 2.2 guidance passwords +3
5. Draft guidance for password input component govuk-design-system#3352
   WCAG 2.2 guidance passwords +3
6. Consider how to resolve the accessibility issue flagged here: Pages with 2+ password fields must use different programmatic labels for 'show' and 'hide' buttons on those password fields govuk-design-system#2795
7. Run a crit on the Password input prototype with the working group #4290
   assurance community +2
   

   
8. Run a crit with DI team and original contributor

Delivery

Preview Give feedback

1. Run a manual accessibility test (with the spreadsheet) and ensure that it meets the Success Criteria for WCAG 2.2 Accessible Authentication
2. Finalise implementation of the component and write unit tests
3. Create guidance
4. Publish!
5. Prepare comms and content to support component release govuk-design-system#3653
   0 of 9
   +0

[owenatgov]

Some initial inter-team discourse on this so far:

• Whilst we should still investigate existing show/hide implementations, working off of the show password contribution is a good bet. This has been extensively researched for the GOV.UK Account initial launch and is being used across Digital Identity/OneLogin services, which have themselves gone through user research with this component in.
• We should think about how we should present this component in guidance. Currently, the leaning is to have a password component which includes a show password button and retain the password pattern for guidance on best practice for storing and handling passwords. Regardless of what we choose, we should review the password pattern content in response to this component.
• We should put together a contribution group of interested parties. As this is being used significantly within GDS, there's an opportunity to work more directly with GDS colleagues to build this. Some options for a contribution group:
  • The original contributor
  • Frontend devs within Digital Identity
  • Designers within Digital Identity
• As part of this, we should cross reference our implementation and guidance with NSCS's guidance on passwords to make sure we're compliant

[CharlotteDowns]

There has been a conversation about the necessity of confirm password input fields in the Add guidance on show/hide password buttons alphagov/govuk-frontend#2861 pull request that may be worth considering as part of this work.

[dav-idc]

[David's departing thoughts]:

Given the capacity on the team and an addition of new dev and design tickets for the main WCAG 2.2 work, I'd recommend pausing this now until after the WCAG 2.2 release is all planned out. Shouldn't be too long of a delay.

Here's the GitHub issue which I believe to be higher priority. In the 'WCAG 2.2 issues to resolve', there's a list of content, design and dev issues that need to be resolved before the WCAG 2.2 release can happen.

• Test components and patterns for complex WCAG 2.2 criteria (target, focus appearance, focus not obscured) #4347

[36degrees]

Superseded by alphagov/govuk-design-system#3454