Update accessible-authentication-minimum.html (#3309)

Starts on #3264, but doesn't complete it.

---------

Co-authored-by: Mike Gower <mikegower@gmail.com>
Co-authored-by: Patrick H. Lauke <redux@splintered.co.uk>
Co-authored-by: Alastair Campbell <ac@alastc.com>
Co-authored-by: Scott O'Hara <scottaohara@users.noreply.github.com>

understanding/22/accessible-authentication-minimum.html

@@ -20,15 +20,18 @@ <h2>In brief</h2>
     <section id="intent">
         <h2>Intent of Accessible Authentication (Minimum)</h2>
 
-        <p>The purpose of this Success Criterion is to ensure there is an accessible, easy-to-use, and secure method to log in. Most Web sites rely on usernames and passwords for logging in. Memorizing or transcribing a username, password, or one-time verification code places a very high or impossible burden upon people with certain cognitive disabilities.</p>
+        <p>The purpose of this Success Criterion is to ensure there is an accessible, easy-to-use, and secure method for users to authenticate when logging into an existing account. As the most prevalent form of authentication, Web sites commonly rely on usernames and passwords to log in. However, memorizing a username and password places a very high or impossible burden upon people with certain cognitive disabilities, as do additional steps often added to authentication processes. For instance, the need to transcribe a one-time verification code or requiring a puzzle to be solved.</p>
 
         <p>While Web sites can use the recognition of objects or of non-text content provided by the user to meet this Success Criterion, such techniques do not fully support the cognitive accessibility community and should be avoided if possible. Refer to <a href="accessible-authentication-enhanced">Accessible Authentication (Enhanced)</a> for guidance to be more inclusive and accessible.</p>
 
+        <p>This Success Criterion is focused on authentication of existing users. It does <em>not</em> cover creation of a username or initiation of an account.  For many Web sites, establishing an initial username and credentials may not differ greatly from logging in with that username. The techniques used to satisfy this criterion (particularly allowing pasting into inputs and not relying on transcription) can also reduce the cognitive burden in account creation. However, the focus of the Success Criterion is on reducing the ongoing need for users to recall previously supplied information each time they log in or otherwise authenticate to an account.</p>
+
         <section id="cog-fun-tests">
             <h3>Cognitive Function Tests</h3>
 
             <p>Remembering a site-specific password is a <a>cognitive function test</a>. Such tests are known to be problematic for many people with cognitive disabilities. Whether it is remembering random strings of characters, or a pattern gesture to perform on a touch screen, cognitive function tests will exclude some people. When a cognitive function test is used, at least one other authentication method must be available which is not a cognitive function test.</p>
 
+
             <p>Some <abbr title="Completely Automated Public Turing test to tell Computers and Humans Apart">CAPTCHA</abbr> systems have an audio alternative of the visible text. If the user needs to transcribe this audio, it cannot be used to meet the Alternative exception.</p>            
 
             <p>If there is more than one step in the authentication process, such as with multi-factor authentication, all steps need to comply with this Success Criterion to pass. There needs to be a path through authentication that does not rely on cognitive function tests.</p>