3.3.8 Accessible Authentication (Minimum)

WCAG 2.2 · 3.3.8 AA Understandable

What it requires

For each step in an authentication process, a cognitive function test — such as remembering a password or solving a puzzle — must not be required, unless that step provides at least one of these:

  • Alternative — another authentication method that does not rely on a cognitive function test.
  • Mechanism — a means to assist the user in completing the test (for example, allowing a password manager to fill the field).

Two exceptions are explicitly allowed without an alternative: tests that ask the user to recognise objects, and tests that use a non-text content the user provided to the website (such as a personal image). Entering a one-time passcode received by email, SMS, or an authenticator app is permitted only when the field allows paste and password-manager autofill, so the user never has to memorise or transcribe it.

The barrier falls hardest on people with cognitive, learning, and memory-related disabilities, but it is broad:

  • People who cannot reliably memorise or recall passwords, PINs, or security answers.
  • People with dyslexia or dyscalculia who struggle to transcribe codes character by character.
  • People who rely on a password manager and are blocked when paste or autofill is disabled.
  • Many older users and anyone under stress, who are slowed by puzzle-style challenges.

How to detect it

Checks for Accessible Authentication (Minimum)
Check How to test Tooling
Password manager paste/autofill Try pasting and using a manager to fill the password and OTP fields; confirm nothing blocks it (no autocomplete="off" abuse, no paste prevention). Manual + keyboard
No transcription-only OTP Check that codes can be pasted rather than retyped from memory. Manual
No puzzle / memory CAPTCHA Look for puzzles, image-text recall, or math challenges with no accessible alternative. Manual
Alternative method present Verify a non-cognitive option (e.g. WebAuthn/passkey, email link) exists where a test is required. Manual

Automated tools such as axe can flag a password field that blocks autofill or paste, but they cannot judge whether a CAPTCHA or knowledge question is a cognitive function test — this criterion is primarily a manual review.

How to fix it

  1. Let password managers work: keep type="password", set a correct autocomplete token, and never disable paste.
  2. For one-time codes, mark fields with autocomplete="one-time-code" and allow paste so users can transfer the code without retyping.
  3. Offer an alternative that needs no cognitive test, such as a passkey (WebAuthn) or an email magic link.
  4. Replace puzzle, math, or text-recall CAPTCHAs with token-based or honeypot approaches; if one remains, provide an accessible non-cognitive alternative.
  5. Re-test the whole flow with a password manager and by pasting codes.
<label for="pw">Password</label>
<input id="pw" type="password" autocomplete="current-password">

<label for="otp">One-time code</label>
<input id="otp" type="text" inputmode="numeric"
       autocomplete="one-time-code">

Copy-paste tests

Automated coverage

There is no fully automated axe-core rule that confirms this criterion: detecting whether authentication relies on a cognitive function test (memorizing passwords, transcribing codes, solving puzzles) requires human judgement. Treat it as a manual review, aided by the console check and steps below.

Run this in the browser console

console — find auth fields blocking paste/autofill
// Read-only: surface password/OTP fields that may break a cognitive-function test.
const fields = [...document.querySelectorAll('input')].filter(el =>
  el.type === 'password' ||
  /otp|one[-_]?time|code|captcha/i.test(el.name + ' ' + el.id + ' ' + (el.autocomplete || ''))
);
const rows = fields.map(el => ({
  id: el.id, name: el.name, type: el.type,
  autocomplete: el.getAttribute('autocomplete') || '(none)',
  blocksPaste: el.onpaste != null || el.getAttribute('onpaste') != null
}));
console.table(rows);
fields.forEach(el => { el.style.outline = '3px solid magenta'; });
console.log(fields.length + ' auth field(s) flagged for manual review.');

What to check manually: confirm each flagged field lets you paste the value and offers password-manager autofill (the correct autocomplete token), and that no step forces the user to memorize, transcribe, or solve a puzzle with no accessible alternative — things no script can verify.