Level AAWCAG 2.2New in WCAG 2.2

3.3.8 Accessible Authentication (Minimum)

Authentication processes do not rely on a cognitive function test.

Why it matters

Cognitive impairment

Distorted-text CAPTCHAs are cognitive function tests. Users with learning or cognitive disabilities may find them unsolvable.

Visual impairment

Visual CAPTCHAs are a major barrier for low-vision users, and audio alternatives are often inadequate.

Memory impairment

Complex password requirements plus paste prohibition exclude users who rely on password managers.

All users

Supporting passkeys and password managers improves both security and convenience at once.

Live demo

Accessible authentication

Depends on a cognitive test and blocks paste

Distorted-text CAPTCHAs are cognitive tests and can be a major barrier for users with learning disabilities or visual impairments. Password managers also fail because autocomplete is off and paste is blocked.

Persona perspective

Kobayashi (65) — Mild cognitive impairment, presbyopia

I couldn't read the distorted characters and failed so many times my account got locked. I use a password manager, but sites that disable paste make it impossible to log in. With passkeys, I can just sign in with my fingerprint.

Checkpoints

Authentication does not require a cognitive function test (CAPTCHA, etc.)The autocomplete attribute is set appropriately (not disabled)Pasting is allowed into password fieldsAlternatives without cognitive tests, such as passkeys or SSO, are providedTwo-factor authentication supports copy and paste

References

→ Understanding SC 3.3.8 (W3C)