3.3.8 Accessible Authentication (Minimum)

New in WCAG 2.2, this criterion addresses authentication barriers for people with cognitive disabilities. Memory tests (remembering a password), transcription tasks (typing a distorted CAPTCHA), and object recognition tests (selecting all squares with traffic lights) are all cognitive function tests that create barriers.

At Level AA, if a cognitive function test is used in login, at least one of the following must also be offered: an alternative authentication method that does not require a cognitive function test, a mechanism to help users complete the test (such as allowing password manager autofill or copy-paste), or object recognition or personal content tests as alternatives to transcription.

Allow password managers to autofill login fields. Do not disable paste in password inputs.

Offer passkey, magic link, or OAuth login as alternatives to password-based login.

If you use CAPTCHA, offer an audio alternative, or replace it with a less cognitively demanding approach.

Do not disable copy and paste on password fields. This breaks password managers and harms accessibility.

• Login form that disables paste in the password field, blocking password managers
• CAPTCHA-only authentication with no alternative method for users who cannot solve visual puzzles
• Password rules that are so complex users cannot remember them without a test, with no password manager support

Cognitive function tests are allowed at Level AA as long as an alternative or assistance exists. The enhanced version (3.3.9, Level AAA) is stricter and requires no cognitive function tests at all.