Loading Developer Playground

Loading ...

Skip to main content
Developer Playground
Share:
Back to WCAG Explorer
Previous
3.3.7 Redundant Entry
Level A
Next
3.3.9 Accessible Authentication (Enhanced)
Level AAA

Success Criterion · WCAG 3.3.8

Accessible Authentication (Minimum)

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following: an alternative authentication method that does not rely on a cognitive function test, a mechanism to assist the user in completing the cognitive function test, or an object recognition test where the object is personally chosen by the user.

Level AAWCAG 2.2Understandable3.3 · Input Assistance
Copy button ready

Goal

Make authentication usable without forcing memory-based puzzles.

What to do

Do not require users to solve cognitive function tests (like memorizing passwords) without offering accessible alternatives.

Why it matters

Memory and cognitive puzzles can exclude users with cognitive disabilities; password managers and copy/paste support are critical.

Success criterion

What WCAG 3.3.8 requires

Summarized directly from the official Understanding document so teams can quote the requirement accurately.

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process, unless that step provides at least one of the following: (1) Alternative: Another authentication method that does not rely on a cognitive function test; (2) Mechanism: A mechanism is available to assist the user in completing the cognitive function test; (3) Object recognition: The cognitive function test is to recognize objects; (4) Personal content: The cognitive function test is to identify non-text content the user provided to the Web site.

Understanding DocQuickRef

Intent

Why WCAG created this requirement

  • Memory-based authentication is a major barrier for many users.
  • Allowing assistance mechanisms (password managers, copy/paste) is often sufficient.
  • Alternative methods can avoid cognitive tests entirely.

Benefits

Who gains when you pass

  • Users with cognitive disabilities can log in without memorizing complex secrets.
  • All users benefit from password managers and passkeys.
  • Users with motor impairments benefit from copy/paste and autofill.

Why it matters

User impact when this criterion fails

Summaries drawn from the Understanding document help you socialize impact statements with product stakeholders.

Users may be locked out if login requires remembering complex passwords with no help.

Blocking paste or password managers can make authentication unusable.

Overview

Authentication must not rely solely on memory or puzzles. Allow password managers, copy/paste, and provide alternative methods (magic links, passkeys, OTP) or assistance. This is a WCAG 2.2 Level AA addition.

  • Do not block copy/paste in password fields; allow password manager autofill.
  • Provide alternative authentication methods (passkeys, email link, OTP).
  • Avoid puzzles (CAPTCHA-like) as an authentication requirement.
  • Object recognition/personal content options can be used, but must remain accessible.

Reference: All summaries and highlights originate from Understanding WCAG 3.3.8 and the W3C quick reference.

Understanding DocTechniques

Fast facts

Conformance level
Level AA
WCAG version introduced
WCAG 2.2
Principle
Understandable
Guideline
3.3 · Input Assistance

Examples

Make success tangible for teams

Share pass/fail snapshots to coach designers, engineers, QA, and content authors.

Password field

Pass

Password field allows paste and password manager fill.

Fail

Paste is disabled and password manager autofill is blocked.

Alternative login

Pass

User can use passkey or email magic link instead of memorizing password.

Fail

Only option is a complex password with no assistance.

Evidence to keep

Document conformance decisions

Capture artifacts for VPATs, procurement reviews, and regression testing.

  • Document authentication options and confirm compatibility with password managers.
  • Capture evidence that paste/autofill is allowed on login forms.

Official resources

Deep dives and supporting material

Keep these links handy when writing acceptance criteria or responding to audits.

Understanding 3.3.8

Official W3C interpretation, techniques, and intent for Accessible Authentication (Minimum).

Quick Reference 3.3.8

Filterable list of sufficient techniques and failures.

Implementation checklist

Capture progress and blockers

  • Audit authentication flows for cognitive function tests and barriers.
  • Allow paste/autofill and avoid anti-patterns that block password managers.
  • Provide at least one alternative or assistance mechanism per the criterion.
  • Document the supported authentication methods and how they meet the criterion.

Testing ideas

Prove conformance with evidence

  • Test login using password manager autofill and copy/paste.
  • Verify login does not require solving puzzles beyond reasonable security checks.
  • Verify an alternative method exists if memory-based step is present.

Related success criteria

More from Input Assistance (3.3)

View all criteria
WCAG 3.3.1Error IdentificationLevel AWCAG 3.3.2Labels or InstructionsLevel AWCAG 3.3.3Error SuggestionLevel AAWCAG 3.3.4Error Prevention (Legal, Financial, Data)Level AAWCAG 3.3.5HelpLevel AAAWCAG 3.3.6Error Prevention (All)Level AAAWCAG 3.3.7Redundant EntryLevel AWCAG 3.3.9Accessible Authentication (Enhanced)Level AAA
Previous
3.3.7 Redundant Entry
Level A
Next
3.3.9 Accessible Authentication (Enhanced)
Level AAA
Back to WCAG Explorer