Login.

gov Accessibility Conformance Report (ACR)

Revised Section 508 Edition
(Based on VPAT® Version 2.5Rev)

Name of Product/Version
Identity Authentication

Report Date & Revision History

● May 15, 2024: Initial report
● February 26, 2025: Revisions in compliance with Executive Order 14168

Product Description
Login.gov is a secure sign-in service used by the public to sign in to participating government agencies.

● When creating an account, a user is required to create a password and select an authentication method.
● When signing in, a user is required to enter their password and authenticate with their selected method.

Contact Information
Email: [email protected]

Notes
This report only covers these pertaining to Identity Authentication

1
 ● Account creation, including failure pages and emails
● Account sign-in, including failure pages and emails
● Account deletion, including emails
● Account password reset, including emails

It does not include Identity Verification (IdV). The report for the IdV process is available at login.gov/accessibility.

Evaluation Methods Used

Login.gov used moderated and manual usability testing to determine accessibility compliance. The authentication process was evaluated
using these methods:

● Cognitive disability study: Moderated, remote usability testing with 7 participants with cognitive disabilities or difficulties
● Blind disability study: Moderated, remote usability testing with 2 participants who are blind and experienced with screen readers
● Automated, manual, and screen readers
○ Automated: Used WebAIM Web Accessibility Evaluation Tool (WAVE) extension (Chrome 3.2.4.4) as an automated testing tool
○ Manual, including automated: Used Microsoft Accessibility Insights for Web ([email protected]) as both an automated and manual
testing tool to check for ~55 of the most common issues and an in-depth assessment of 23 areas
○ Screen readers: Assessed with these screen readers
■ Apple VoiceOver on a MacBook Pro with macOS 13.6
■ NVDA 2023.2 on a Windows 11s laptop

Evaluation limitations of each method

● Cognitive disability study: In this participant pool, the demographics did not incorporate the following perspectives of these
○ Assistive technology: Beginner or intermediate users
○ Education: Have only a high school degree or equivalent
● Blind disability study: In this participant pool, the demographics did not include the following perspectives of these
○ Users with beginner screen reader proficiency
○ Windows Narrator users
○ Android TalkBack users
○ Refreshable braille display users

2
 ● Automated, manual, and screen readers
○ The limitation of simulation: The evaluator responsible for conducting the VPAT assessment with VoiceOver and NVDA is a
sighted person. To mitigate this limitation, the evaluator also conducted sessions with 2 blind participants.

Login.gov continues to broaden the sample size in both cognitive and blind disability studies.

Applicable Standards/Guidelines
This report covers the degree of conformance for the following accessibility standard/guidelines:

Standard/Guideline Included In Report

Web Content Accessibility Guidelines 2.0 Level A (Yes)

Level AA (Yes)
Level AAA (No)

Revised Section 508 standards published January 18, 2017 and corrected January 22, 2018 (Yes)

Terms
The terms used in the Conformance Level information are defined as follows:

● Supports: The functionality of the product has at least one method that meets the criterion without known defects or
meets with equivalent facilitation.
● Partially Supports: Some functionality of the product does not meet the criterion.
● Does Not Support: The majority of product functionality does not meet the criterion.
● Not Applicable: The criterion is not relevant to the product.

3
 ● Not Evaluated: The product has not been evaluated against the criterion. This can only be used in WCAG Level AAA
criteria.

WCAG 2.0 Report

Tables 1 and 2 also document conformance with Revised Section 508:

● Chapter 5 – 501.1 Scope, 504.2 Content Creation or Editing

● Chapter 6 – 602.3 Electronic Support Documentation

Note: When reporting on conformance with the WCAG 2.0 Success Criteria, they are scoped for full pages, complete processes,
and accessibility-supported ways of using technology as documented in the WCAG 2.0 Conformance Requirements.

Table 1: Success Criteria, Level A

Notes: None

Criteria Conformance Level Remarks and Explanations

The website presents sufficient text alternatives or
1.1.1 Non-text Content (Level A) Supports figure captions for most instances of non-text
content.
The website does not contain prerecorded audio-
1.2.1 Audio-only and Video-only (Prerecorded) (Level A) Not applicable
only or video-only materials.

The website does not contain prerecorded

1.2.2 Captions (Prerecorded) (Level A) Not applicable
synchronized media.

The website does not contain prerecorded video

1.2.3 Audio Description or Media Alternative
Not applicable content that requires audio description or media
(Prerecorded) (Level A)
alternative.
Information, structure, and relations conveyed on
1.3.1 Info and Relationships (Level A) Supports the website are programmatically determined or
available in text.

4
 Criteria Conformance Level Remarks and Explanations
The website content is presented in a meaningful
1.3.2 Meaningful Sequence (Level A) Supports
and programmatically determined sequence.

Most instructions provided for understanding and

operating content do not rely solely on sensory
characteristics.

Exception
● An email may include an instruction to “click
1.3.3 Sensory Characteristics (Level A) Partially supports
the link below,” which users with visual
disabilities may find it difficult to locate
content.

A resolution for the exception is tracked and

planned.
The website does not use color as the only visual
means of conveying information. When color is used
to convey information, it is accompanied by a text or
icon cue.

Exception: An email message may contain a link. It

1.4.1 Use of Color (Level A) Partially supports
uses a blue color; however, it is not underlined. This
may prevent users with color deficiencies from
perceiving it as a clickable link.

A resolution for the exception is tracked and

planned.
The website does not contain audio that plays
1.4.2 Audio Control (Level A) Not applicable
automatically.

5
 Criteria Conformance Level Remarks and Explanations
The functionality of website content is operable
through a keyboard interface.

Note: This criterion excludes any underlying

function that requires input depending on the user’s
2.1.1 Keyboard (Level A) Supports movement, such as these:
● Scan and/or tap a QR code during an
authentication method setup
● Interact with a user’s browser modal window
when prompted by an authentication method
setup or sign-in

2.1.2 No Keyboard Trap (Level A) Supports The website does not include keyboard traps.

The website includes a mechanism to extend the

2.2.1 Timing Adjustable (Level A) Supports time when a time limit is applicable and does not
compromise security.
The website does not include elements that move,
2.2.2 Pause, Stop, Hide (Level A) Not applicable
blink, scroll, or auto-update.

2.3.1 Three Flashes or Below Threshold (Level A) Not applicable The website does not contain flashing content.

The website has a “Skip to main content” link, providing a

2.4.1 Bypass Blocks (Level A) Supports mechanism to jump to the first element of the main
content.

The webpages have titles that describe the topic or

2.4.2 Page Titled (Level A) Supports
purpose.

The website components receive focus in a meaningful

2.4.3 Focus Order (Level A) Supports
order.

6
 Criteria Conformance Level Remarks and Explanations
The purpose of each link can be determined from the link
2.4.4 Link Purpose (In Context) (Level A) Supports
text with its programmatically determined link context.

The language of each webpage can be programmatically

3.1.1 Language of Page (Level A) Supports
determined by the HTML lang attribute.

The website components do not initiate a change of

3.2.1 On Focus (Level A) Supports
context when receiving focus.

The website components do not automatically cause a

3.2.2 On Input (Level A) Supports
change of context on user input

When an input error is automatically detected, the error

3.3.1 Error Identification (Level A) Supports
is identified and described in the text with multiple cues.

The website input fields are provided with a label or an

3.3.2 Labels or Instructions (Level A) Partially supports
instruction.

The website uses semantically correct markup for

interface elements.
4.1.1 Parsing (Level A) Supports
Note: Automated accessibility tests are implemented and
enhanced to check for HTML markup validity, e.g.,
incomplete tag, invalid nesting, and duplicate attributes.

The website components have name, role, and value

4.1.2 Name, Role, Value (Level A) Supports
that can be programmatically determined.

Table 2: Success Criteria, Level AA

Notes: None

7
 Criteria Conformance Level Remarks and Explanations

1.2.4 Captions (Live) (Level AA) Not applicable The website does not contain synchronized media.

The website does not contain a prerecorded video

1.2.5 Audio Description (Prerecorded) (Level AA) Not applicable
that would require an audio description.

The website visual presentation of text has a

1.4.3 Contrast (Minimum) (Level AA) Supports
contrast ratio of at least 4:5:1.

The website text can be resized without assistive

1.4.4 Resize text (Level AA) Supports technology up to 200 percent without loss of
content or functionality.
The website uses text rather than images of text to
1.4.5 Images of Text (Level AA) Supports
convey information.

The website is primarily experienced in a sequential

manner where the webpage is the result of, or a
2.4.5 Multiple Ways (Level AA) Supports step in, a process. When applicable, the website
provides links between webpages for users who
need to start over or to update.
All website headings and labels except for one
describe topic or purpose.
2.4.6 Headings and Labels (Level AA) Partially supports
In one instance, the page lacks a H1 heading to
describe a purpose. A resolution for the exception is
tracked and planned.
Focusable elements on the website have a visible
keyboard focus indicator.

2.4.7 Focus Visible (Level AA) Partially supports Note: When some JAWS users are not using the
Auto Forms Mode, the virtual cursor outline may not
create a consistent navigation experience when
interacting with radio button content.

8
 Criteria Conformance Level Remarks and Explanations
The language of each content section is
3.1.2 Language of Parts (Level AA) Supports
programmatically determined.

The website provides consistent and repeatable

3.2.3 Consistent Navigation (Level AA) Supports
navigation orders.

Components and elements that have the same

3.2.4 Consistent Identification (Level AA) Supports functionality within the website are identified
consistently.
When an input error is automatically detected, and a
suggestion is known, an error message is provided
3.3.3 Error Suggestion (Level AA) Supports with a suggestion. Also, the message may provide a
description of an error unless it compromises the
security of the user.
The website does not contain financial transactions
but does include a legal commitment (or an
3.3.4 Error Prevention (Legal, Financial, Data)
Supports agreement) and sensitive data sharing. A required
(Level AA)
check or confirmation is available as a mechanism in
a few instances when applicable.

Table 3: Success Criteria, Level AAA

Notes: While the VPAT 2.5 Rev 508 does not require Login.gov to meet Success Criteria (AAA), Login.gov strives to meet or beyond them
when applicable.

Criteria Conformance Level Remarks and Explanations

The website does not contain prerecorded
1.2.6 Sign Language (Prerecorded) (Level AAA)
Not applicable synchronized media that require sign language
Revised Section 508 – Does not apply
interpretation.

9
 Criteria Conformance Level Remarks and Explanations
1.2.7 Extended Audio Description (Prerecorded) (Level The website does not contain prerecorded
AAA) Not applicable synchronized media that require extended audio
Revised Section 508 – Does not apply description.
1.2.8 Media Alternative (Prerecorded) (Level AAA) The website does not contain prerecorded
Not applicable
Revised Section 508 – Does not apply synchronized media that require media alternatives.

The website does not contain live audio-only

1.2.9 Audio-only (Live) (Level AAA)
Not applicable content that requires alternatives for time-based
Revised Section 508 – Does not apply
media.
Most visual presentations of text have a contrast
ratio of at least 7:1 and 4:5:1 for large text.

Exceptions (Does not meet Level AAA)

1.4.6 Contrast (Enhanced) (Level AAA)
Not applicable ● An element that use Login.gov’s primary
Revised Section 508 – Does not apply
color (Blue) for a non-bolded text have a
contrast ratio of 5.14:1 on a white background
● A hint text has a contrast ratio of 4.54:1 on a
white background
1.4.7 Low or No Background Audio (Level AAA) The website does not contain prerecorded audio-
Supports
Revised Section 508 – Does not apply content that requires low or no background audio.

1.4.8 Visual Presentation (Level AAA) The website has a mechanism available to support
Supports
Revised Section 508 – Does not apply text configuration.

The website contains these

● Agency logos that include text as part, or all,
of the logo
1.4.9 Images of Text (No Exception) (Level AAA) ● Icon illustrations that include symbolic text
Not applicable
Revised Section 508 – Does not apply characters to communicate a status

Agency logos and icons are provided with a text

alternative when appropriate.

10
 Criteria Conformance Level Remarks and Explanations
Most content is operable from the keyboard with
several exceptions when a user opts into a path
requesting a user’s movement away from their
keyboard
2.1.3 Keyboard (No Exception) (Level AAA) ● Scan and/or tap a QR code
Not applicable
Revised Section 508 – Does not apply ● Plug and/or activate a security key in a
device port
● Insert and/or activate a physical PIV
(personal identity verification card or CAC
(command access card)
For security reasons, timed interaction is necessary.
Login.gov ends a session when the user hasn’t
2.2.3 No Timing (Level AAA)
Not applicable moved to a new page for a specific amount of time.
Revised Section 508 – Does not apply
In these instances, the website provides users to
extend the time when appropriate (2.2.1).
The website contains an interruption that requires
2.2.4 Interruptions (Level AAA) immediate action to preserve the security of the
Not applicable
Revised Section 508 – Does not apply user, which is qualified as an “emergency” under the
WCAG 2.0 criterion to preserve user safety.
For security reasons, the user’s session activity data
2.2.5 Re-authenticating (Level AAA)
Not applicable is not saved after being logged out due to a period
Revised Section 508 – Does not apply
of inactivity.
2.3.2 Three Flashes (Level AAA) The website does not contain anything that flashes
Supports
Revised Section 508 – Does not apply more than three times in any one-second period.

The website does not contain information about the

user’s location within the identity authentication.
2.4.8 Location (Level AAA)
Not applicable
Revised Section 508 – Does not apply Note: During the identity verification, a step
indicator component is included to help users know
where they are in the process.

11
 Criteria Conformance Level Remarks and Explanations
Most links can be identified from link text alone.
2.4.9 Link Purpose (Link Only) (Level AAA)
Not applicable When it is not, the purpose of a link can be
Revised Section 508 – Does not apply
determined by the link context (2.4.4)
All section headings except for one are used to
organize the content throughout the website.
2.4.10 Section Headings (Level AAA)
Partially supports
Revised Section 508 – Does not apply In one instance, the page lacks a H1 heading to
describe a purpose. A resolution for the exception is
tracked and planned.
While the website uses plain language, Login.gov
3.1.3 Unusual Words (Level AAA)
Not evaluated has yet to develop an evaluation method for
Revised Section 508 – Does not apply
identifying unusual words.
While the website uses plain language, Login.gov
3.1.4 Abbreviations (Level AAA)
Not evaluated has yet to develop an evaluation method for
Revised Section 508 – Does not apply
identifying abbreviations.
While the website uses plain language, Login.gov
3.1.5 Reading Level (Level AAA)
Not evaluated has yet to develop an evaluation method for
Revised Section 508 – Does not apply
identifying reading level.
While the website uses plain language, Login.gov
3.1.6 Pronunciation (Level AAA)
Not evaluated has yet to develop an evaluation method for
Revised Section 508 – Does not apply
identifying pronunciation.
3.2.5 Change on Request (Level AAA) The website content gives full control of changes of
Supports
Revised Section 508 – Does not apply context.

3.3.5 Help (Level AAA) The website provides context-sensitive help related
Supports
Revised Section 508 – Does not apply to the function currently being performed.

The website provides all three error prevention

3.3.6 Error Prevention (All) (Level AAA)
Supports methods as safeguards, depending on the context:
Revised Section 508 – Does not apply
Reversible, Checked, and Confirmed.

12
Revised Section 508 Report
Notes: None

Chapter 3: Functional Performance Criteria (FPC)

Notes: For more detailed information regarding the remarks and explanations, contact Login.gov at [email protected].

Criteria Conformance Level Remarks and Explanations

QR code: A user without a vision may experience
difficulty locating the QR code on the screen.
● Authentication app page includes a QR code
to scan. In this instance the page also
provides another mode of operation to copy
and enter without having to locate the QR
code.
● Security key page includes a browser modal
302.1 Without Vision Partially supports
window with a QR code. Hints are provided to
a browser to optimize the browser dialog
experience.

Text characters: The website contains numeric or

alphanumeric characters in a few instances such as
a one-time code, which could be challenging to
memorize or parse with assistive technology.

13
 Criteria Conformance Level Remarks and Explanations
QR code: A user with limited vision may experience
difficulty locating the QR code on the screen.
● Authentication app page includes a QR code
to scan. In this instance the page also
provides another mode of operation to copy
and enter without having to locate the QR
code.
302.2 With Limited Vision Partially supports ● Security key page includes a browser modal
window with a QR code. Hints are provided to
a browser to optimize the browser dialog.

Text characters: The website contains numeric or

alphanumeric characters in a few instances such as
a one-time code, which could be challenging to
memorize or parse with assistive technology.
When color is used to convey information, it is
accompanied by a text or icon cue.

Exception: An email message may contain a link. It

uses a blue color; however, it is not underlined. This
302.3 Without Perception of Color Partially supports
may prevent users with color deficiencies from
perceiving it as a clickable link.

A resolution for the exception is tracked and

planned.

14
 Criteria Conformance Level Remarks and Explanations
During an authentication method setup, the website
provides two options for receiving a one-time code:
Text message (SMS) or voice message (Phone call).

Note: The code is repeated several times to ensure

302.4 Without Hearing Supports understandability if the user chooses the voice
message option.

Alternatively, the website provides other method

options for users to select instead of text or voice
message.
During an authentication method setup, the website
provides two options for receiving a one-time code:
Text message (SMS) or voice message (Phone call).

Note: The code is repeated several times to ensure

302.5 With Limited Hearing Supports understandability if the user chooses the voice
message option.

Alternatively, the website provides other method

options for users to select instead of text or voice
message.
The website does not require any speech to be used
302.6 Without Speech Not applicable
for input, control, or operation.

Login.gov has yet to test with users with limited

302.7 With Limited Manipulation Not evaluated
manipulation for this product

Login.gov has yet to test with users with limited

302.8 With Limited Reach and Strength Not evaluated
reach and strength for this product.

15
 Criteria Conformance Level Remarks and Explanations
Login.gov uses plain language throughout the
webpages that helps make the website readable for
all users.

Exception: Users with cognitive disabilities or

difficulties may encounter a barrier at these steps,
302.9 With Limited Language, Cognitive, and Learning
Partially supports which could prevent or impair them from continuing
Abilities
with identity authentication
● Create a password while meeting its length
and strength requirements
● Select a multi-factor authentication (MFA)
while making an informed decision on the
level of security and usability

Chapter 4: Hardware
Notes: Login.gov does not create hardware that transmits information or has a user interface. For this reason, the chapter has been omitted.

Chapter 5: Software
Notes: Login.gov does not contain platform software that has access to platform accessibility services. For this reason, the chapter has been
omitted.

Chapter 6: Support Documentation and Services

Notes: While Login.gov provides support documents and services, it is considered a separate product entity since it overlaps with other
products. For this reason, the chapter has been omitted.

16