Skip to main content
Understandable WCAG 3.3.8

3.3.8 Accessible Authentication (Minimum)

A cognitive function test is not required for any step in an authentication process unless an alternative or assistance mechanism is provided.

Level AA Serious WCAG 2.2 (new)

What this rule means

WCAG 3.3.8 (new in WCAG 2.2) requires that authentication processes do not rely on cognitive function tests — memorizing passwords, solving puzzles, transcribing codes — unless an alternative is provided. Users must be able to authenticate without relying on memory, transcription, or pattern recognition.

Acceptable alternatives include: password managers (copy/paste must work), passkeys/WebAuthn, email/SMS magic links, OAuth/SSO, and biometric authentication. The key is that the user does not have to recall or transcribe information from memory.

Why it matters

Users with cognitive disabilities, memory impairments, and learning disabilities may be unable to remember passwords or complete CAPTCHA challenges. Authentication barriers lock these users out of services entirely.

This criterion ensures that at least one authentication path does not require cognitive function tests, making services accessible to people with cognitive disabilities.

Related axe-core rules

There are no automated axe-core rules for this criterion.

How to test

  • Identify all authentication steps (login, 2FA, CAPTCHA, email verification).
  • For each step, determine if a cognitive function test is required.
  • Verify at least one authentication path that does not require memory, transcription, or pattern recognition.
  • Ensure password fields allow paste (for password manager use).
  • Check that CAPTCHA has an accessible alternative.

How to fix

<!-- Allow password paste for password managers -->
<label for="password">Password</label>
<input type="password" id="password"
       autocomplete="current-password" />
<!-- Do NOT add onpaste="return false" -->

<!-- Provide magic link alternative -->
<form action="/login" method="post">
  <label for="email">Email</label>
  <input type="email" id="email" autocomplete="email" />
  <button type="submit">Send login link</button>
</form>
<p>We will email you a link to sign in —
   no password needed.</p>

<!-- WebAuthn/passkey option -->
<button onclick="startWebAuthn()">
  Sign in with passkey
</button>

Common mistakes

  • Disabling paste on password fields, preventing password manager use.
  • Requiring CAPTCHA without an accessible alternative (audio CAPTCHA alone is not sufficient).
  • Requiring users to transcribe a code from one device to another without copy/paste.
  • Using image-based authentication (pick the right image) without an alternative.

Resources