--- title: "Accessible authentication" category: accessibility status: recommended url: https://specification.website/spec/accessibility/accessible-authentication/ updated: "2026-06-17T00:00:00.000Z" sources: - title: "WCAG 3.3.8 — Accessible Authentication (Minimum) (Level AA)" url: "https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum.html" publisher: "W3C" - title: "WCAG 3.3.9 — Accessible Authentication (Enhanced) (Level AAA)" url: "https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-enhanced.html" publisher: "W3C" - title: "W3C — Web Authentication (WebAuthn)" url: "https://www.w3.org/TR/webauthn-3/" publisher: "W3C" - title: "MDN — HTML autocomplete attribute" url: "https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/autocomplete" publisher: "MDN" source_repo: https://github.com/jdevalk/specification.website licence: CC-BY-4.0 --- # Accessible authentication > Let people log in without solving a puzzle, transcribing a code, or memorising anything. Don't block password managers, allow paste, and offer a method that needs no cognitive function test. ## What it is WCAG 2.2 added two success criteria, both about logging in: **3.3.8 Accessible Authentication (Minimum)**, Level AA, and **3.3.9 (Enhanced)**, Level AAA. The rule is that no step of an authentication process may rely on a **cognitive function test** — remembering a password, solving a puzzle, transcribing characters, or recognising things — unless an accessible alternative is offered. The Minimum criterion exempts object recognition (e.g. "pick the photos with a bus") and personal-content recognition; the Enhanced criterion removes even those exemptions. ## Why it matters A login screen is a gate in front of everything. People with cognitive disabilities — memory loss, dyslexia, dyscalculia — are routinely locked out by the very mechanisms meant to keep accounts safe. Asking someone to memorise a password, copy a six-digit code from a text message into a field, or solve a distorted-text CAPTCHA is a cognitive function test, and for a large group of users it simply does not work. Authentication failures don't just frustrate; they exclude people from banking, healthcare, and government services entirely. ## How to implement The reliable way to pass is to make the browser or device do the remembering: - **Support password managers.** Use proper `` fields with `autocomplete="current-password"` (or `new-password` when setting one) so managers fill and store credentials. Don't break this with custom widgets. - **Allow paste** into every field, including password and one-time-code inputs. Blocking paste forces manual transcription — the exact thing the criterion forbids. - **Let the platform handle OTPs.** Mark the field `autocomplete="one-time-code"` so the OS can offer the SMS code automatically instead of making the user read and retype it. - **Offer passkeys / WebAuthn.** Biometric or device-bound credentials satisfy the criterion because they require no memorised secret and no test. - **If you must use a CAPTCHA, don't make it the only gate.** Offer an alternative that isn't a puzzle, or use a non-interactive challenge. - **Email or magic links** are an accessible fallback — the user clicks, no recall required. ## Common mistakes - Disabling paste "for security" on password or 2FA fields. - A reCAPTCHA-style image puzzle with no alternative path. - "Security questions" that demand recall of obscure facts. - Custom login fields with no `autocomplete`, so managers can't fill them. - Asking the user to transcribe a code from an authenticator app with no copy affordance. ## Verification - Log in using only a password manager — no typing. It should fill and submit. - Confirm paste works in every credential and OTP field. - Check each step for a puzzle, memory, or transcription demand; if one exists, confirm an accessible alternative is offered.