3.3.8 Accessible Authentication (Minimum)
What it requires
For each step in an authentication process, a cognitive function test — such as remembering a password or solving a puzzle — must not be required, unless that step provides at least one of these:
- Alternative — another authentication method that does not rely on a cognitive function test.
- Mechanism — a means to assist the user in completing the test (for example, allowing a password manager to fill the field).
Two exceptions are explicitly allowed without an alternative: tests that ask the user to recognise objects, and tests that use a non-text content the user provided to the website (such as a personal image). Entering a one-time passcode received by email, SMS, or an authenticator app is permitted only when the field allows paste and password-manager autofill, so the user never has to memorise or transcribe it.
The barrier falls hardest on people with cognitive, learning, and memory-related disabilities, but it is broad:
- People who cannot reliably memorise or recall passwords, PINs, or security answers.
- People with dyslexia or dyscalculia who struggle to transcribe codes character by character.
- People who rely on a password manager and are blocked when paste or autofill is disabled.
- Many older users and anyone under stress, who are slowed by puzzle-style challenges.
How to detect it
| Check | How to test | Tooling |
|---|---|---|
| Password manager paste/autofill | Try pasting and using a manager to fill the password and OTP fields; confirm nothing
blocks it (no autocomplete="off" abuse, no paste prevention). |
Manual + keyboard |
| No transcription-only OTP | Check that codes can be pasted rather than retyped from memory. | Manual |
| No puzzle / memory CAPTCHA | Look for puzzles, image-text recall, or math challenges with no accessible alternative. | Manual |
| Alternative method present | Verify a non-cognitive option (e.g. WebAuthn/passkey, email link) exists where a test is required. | Manual |
Automated tools such as axe can flag a password field that blocks autofill or paste, but they cannot judge whether a CAPTCHA or knowledge question is a cognitive function test — this criterion is primarily a manual review.
How to fix it
- Let password managers work: keep
type="password", set a correctautocompletetoken, and never disable paste. - For one-time codes, mark fields with
autocomplete="one-time-code"and allow paste so users can transfer the code without retyping. - Offer an alternative that needs no cognitive test, such as a passkey (WebAuthn) or an email magic link.
- Replace puzzle, math, or text-recall CAPTCHAs with token-based or honeypot approaches; if one remains, provide an accessible non-cognitive alternative.
- Re-test the whole flow with a password manager and by pasting codes.
<label for="pw">Password</label>
<input id="pw" type="password" autocomplete="current-password">
<label for="otp">One-time code</label>
<input id="otp" type="text" inputmode="numeric"
autocomplete="one-time-code">
Copy-paste tests
Automated coverage
There is no fully automated axe-core rule that confirms this criterion: detecting whether authentication relies on a cognitive function test (memorizing passwords, transcribing codes, solving puzzles) requires human judgement. Treat it as a manual review, aided by the console check and steps below.
Run this in the browser console
// Read-only: surface password/OTP fields that may break a cognitive-function test.
const fields = [...document.querySelectorAll('input')].filter(el =>
el.type === 'password' ||
/otp|one[-_]?time|code|captcha/i.test(el.name + ' ' + el.id + ' ' + (el.autocomplete || ''))
);
const rows = fields.map(el => ({
id: el.id, name: el.name, type: el.type,
autocomplete: el.getAttribute('autocomplete') || '(none)',
blocksPaste: el.onpaste != null || el.getAttribute('onpaste') != null
}));
console.table(rows);
fields.forEach(el => { el.style.outline = '3px solid magenta'; });
console.log(fields.length + ' auth field(s) flagged for manual review.');
What to check manually: confirm each flagged field lets you paste the value and offers password-manager autofill (the correct autocomplete token), and that no step forces the user to memorize, transcribe, or solve a puzzle with no accessible alternative — things no script can verify.
Related
- WCAG 2.2 criteria index — all 87 success criteria.
- Learn catalog — lessons mapped to criteria.
- Accessible forms — labels, input purpose, and authentication fields.