You know the feeling. You’ve just spent the last twenty minutes filling out a form on a website. Suddenly, it asks for a specific piece of information. You need to dig for this information. You spend the next 7 minutes digging in your desk, files, computer, until you find it. Flip back to your form, and you are logged out.
If you are lucky, the form will allow you sign back in and continue from there. There’s a good chance you may need to start over. For you it is frustrating and takes time. But what if you can’t complete the form in the time given? Maybe it’s because you can’t answer the questions quickly enough.
The reality is that completing forms on a timed schedule is a very difficult thing to do. It is hard to estimate the number of questions. Or how long each will take. Will you need to research the answer? Will you need to retrieve something?
For a non-disabled person this can be frustrating. Think of how long it takes to collect your tax paperwork. Then filling it in. Most good tax programs will save as you go because they learned this lesson.
Every user will take a different amount of time. During that experience there will be periods of activity the app registers. There will be periods of inactivity too. This is the period that this guideline is about.
WCAG is the ground floor of accessibility and we don’t know how many floors the tower has.
Most “timeouts” for sites are timer counting down in the background after every interaction on the site. When it hits it’s limit, say five minutes, it logs you out.
This is insufficient due to the variable amount of time people take. If you are required by your company to log people out after inactivity, then you want to implement one or more of the following options:
Turn off
Sometimes using the text is enough:
The user is allowed to turn off the time limit before encountering it; or
Personally, I think this is the best option. You have knowledge of who they are. They have access to the closed system. Let them decide to turn it off. Now there is a caution here of course and that is if the user is not on their own machine. You can work around this through recording MAC addresses, cookies, and even identifying “safe” machines within the account.
Security will usually say no.
Adjust
The user is allowed to adjust the time limit before encountering it over a wide range that is at least ten times the length of the default setting; or
Using the same technique, you can allow the user to adjust the timeout to their personal preference.
Extend
The user is warned before time expires and given at least 20 seconds to extend the time limit with a simple action (for example, “press the space bar”), and the user is allowed to extend the time limit at least ten times; or
This is the most likely the option security will allow. After the given timeout amount, the system offers up a dialog that counts down at least twenty seconds. This allows you to continue the session from where you were. If you do not take the defined action, the system will log you out.
I personally think 20 seconds is low and the window should be longer, which reminds me. WCAG is the ground floor of accessibility and we don’t know how many floors the tower has. All of these criteria are baselines. We don’t stop climbing until we hit the last floor, and there is no elevator or shortcut.
If you have permission to send push notifications or SMS to their phone number, use this opportunity. It would be a great way to let users know of a pending timeout. Remember, they’re distracted. Sending a reminder to a phone might be the best chance to save the session for them.
Real-time Exception
Like most of the guidelines, there are some exceptions. Sometimes this is because there is no technical answer to make it more accessible. Other times, we just haven’t figured out how.
The time limit is a required part of a real-time event (for example, an auction), and no alternative to the time limit is possible; or
When there is a real-time competition for something, we make an exception. It isn’t logical to allow User X to bid on something. Just 20 seconds ago, User A was told they were the winner.
Consider a different strategy. You could organize a silent auction. In this format, bidders send in their bids without seeing the others. You can set a day and time entries will close and announce winners the next day. But from a marketing POV, this is much harder to drive business this way than the real-time auction.
Essential Exception
The time limit is essential and extending it would invalidate the activity; or
I think the best example of an essential exception is multi-factor authentication. While there are a number of methods for this, one in particular is an essential exception. The practice of entering a code in a time limit. You open your authenticator and transcribe the code. Or it could come by SMS or email.
20 Hour Exception
The time limit is longer than 20 hours.
This is the best option. Don’t create an accessibility barrier where one doesn’t need to be.
Have some thoughts or questions? Let’s talk about it on BlueSky or LinkedIn!