WCAG 2.2 - Success Criterion
3.3.8 Accessible Authentication (Minimum)
Description
Cognitive function tests must not be required at any step of an authentication process, unless the test provides at least one of the following: an alternative authentication method that does not rely on a cognitive function test; a mechanism to assist the user in completing the cognitive function test; or the cognitive function test involves recognising objects or identifying non-text content the user previously provided to the website. A cognitive function test is anything that requires the user to remember, transcribe, or solve something - including traditional text-based CAPTCHA, knowledge-based security questions, or mathematical puzzles. This new WCAG 2.2 criterion directly addresses authentication barriers for users with cognitive disabilities.
How To Test
- Identify all steps in the site's authentication and account recovery flows (login, two-factor authentication, password reset, account unlock).
- For each step, determine whether a cognitive function test is required: CAPTCHA, knowledge question, memorised PIN, or puzzle.
- If a cognitive function test is present, check whether an alternative method that does not require cognitive function is available.
- Test that password fields support copy-paste and browser autofill (do not block the clipboard or disable autocomplete for the password field).
- Check whether the site supports a password manager-friendly login flow (standard
<input type="password">with appropriateautocompleteattribute values). - If a CAPTCHA is used, verify that an audio or non-text alternative is offered alongside it.
- For account recovery flows, check that users are not required to answer knowledge-based questions as the sole recovery method.
Testing Tools
- NVDA — Free screen reader for Windows. Download, install, and open Firefox to test the demo. Navigate using Tab and arrow keys, and listen to role, name, and state announcements from the page.
- VoiceOver (macOS) — Built into macOS. Enable with Cmd+F5, then open Safari or Chrome to test the demo. Use VO+arrow keys to navigate and hear semantic structure announcements.
- Lighthouse — Browser accessibility audit in Chrome DevTools. Open DevTools (F12), go to Lighthouse, run the audit to identify semantic and labeling issues.
Demo
This login requires solving a maths puzzle with no alternative method. Users with cognitive disabilities such as dyscalculia cannot authenticate.
Standard password field with autocomplete="current-password" (supports password managers) and a show/hide toggle. No cognitive function test required.
Code
<!-- ❌ Login requires a cognitive function test (maths puzzle) with no alternative -->
<input type="text" id="username" autocomplete="username">
<input type="password" id="password" autocomplete="current-password">
<label for="captcha">What is 7 + 4?</label>
<input type="text" id="captcha" required>
<!-- No alternative — users with dyscalculia or cognitive disabilities are blocked --><!-- ✓ Standard password field — supports paste, autofill, and password managers -->
<input type="text" id="username" autocomplete="username">
<input type="password" id="password" autocomplete="current-password">
<button type="button" aria-controls="password" aria-pressed="false">Show</button>
<!-- No cognitive test — password manager handles recall for the user -->Code
Two-factor authentication uses split OTP fields (4 separate 1-digit inputs) that block copy-paste. Users must manually type each digit, creating barriers for users with motor or cognitive disabilities.
A single OTP input field that accepts paste and auto-formatting. Users can paste the full code from SMS, email, or authenticator apps without manual entry.
Code
<!-- ❌ Split OTP fields block copy-paste; require manual entry -->
<div style="display:flex;gap:0.5rem;">
<input type="text" inputmode="numeric" maxlength="1">
<input type="text" inputmode="numeric" maxlength="1">
<input type="text" inputmode="numeric" maxlength="1">
<input type="text" inputmode="numeric" maxlength="1">
</div>
<!-- Users cannot paste the full code — must type each digit --><!-- ✓ Single field accepts paste; auto-formats to 6 digits -->
<input type="text" inputmode="numeric" placeholder="000000"
onchange="this.value=this.value.replace(/\D/g,'').substring(0,6);">
<!-- Users paste the full code; field auto-strips non-digits and truncates -->Code
Login requires a password with no alternatives. Users with memory impairments or those unable to type cannot authenticate using other methods.
Multiple authentication methods available. Users can choose the method that works best for their abilities: password manager support, email magic links, or biometric passkeys.
Code
<!-- ❌ Password-only authentication; no alternatives for users who cannot type or remember -->
<input type="email" id="email">
<input type="password" id="password">
<!-- Users with memory or motor impairments have no alternative --><!-- ✓ Multiple methods: password (with manager support), magic link, passkey -->
<fieldset>
<legend>Choose authentication method</legend>
<label>
<input type="radio" name="auth-method" value="password">
Password (supports password manager)
</label>
<label>
<input type="radio" name="auth-method" value="magic-link">
Magic link via email
</label>
<label>
<input type="radio" name="auth-method" value="passkey">
Passkey (fingerprint or face)
</label>
</fieldset>
<!-- Users choose the method that works for them -->Code
Fail Explanation
A login page that requires users to solve a distorted text CAPTCHA with no accessible alternative (such as an audio CAPTCHA or a simple "I'm not a robot" checkbox backed by behaviour analysis) fails this criterion. Similarly, a security checkpoint that asks users to recall which city they were born in, their mother's maiden name, or any other memorised fact - without offering an alternative path - presents a barrier to users with cognitive impairments, amnesia, or brain injuries. Traditional knowledge-based authentication questions are a particularly common source of failure.
Pass Explanation
An authentication process passes when it does not require any cognitive function test, or when any such test is accompanied by at least one accessible alternative. Acceptable approaches include: password manager-compatible password fields (which support copy-paste and autofill, avoiding the need to memorise); email or SMS one-time codes (which are sent to the user rather than requiring recall); passkeys and biometric authentication; and object-recognition tasks that use images the user previously uploaded themselves. A compliant CAPTCHA must offer a non-cognitive alternative such as an audio challenge or a behaviour-based check.
Notes
This criterion is at Level AA; WCAG 2.2 also includes 3.3.9 Accessible Authentication (Enhanced) at Level AAA which removes all cognitive test exceptions. Importantly, this criterion does not prohibit passwords - it prohibits requiring users to memorise or transcribe credentials without any accessible alternative or support mechanism.
Techniques
WCAG techniques used in this demo: G218