3.3.8 Accessible Authentication (Minimum)

Level: AA | Principle: Understandable | Since: WCAG 2.2 | Automation: Manual

What This Means

Authentication processes must not require a cognitive function test (such as memorizing a password, solving a puzzle, or transcribing distorted text) unless at least one alternative is provided. Specifically, users must be able to paste into password fields, use password managers, and use alternative authentication methods like passkeys, OAuth, or email magic links.

Who This Affects

Cognitive disability users — memorizing passwords, solving CAPTCHAs, or transcribing characters is extremely difficult or impossible for them
Memory impairment users — they rely on password managers to store and fill credentials
Motor impairment users — typing complex passwords is physically taxing; pasting from a manager is far easier
Low vision users — CAPTCHAs with distorted text are often unreadable even with magnification
Everyone — password managers and passkeys improve security and usability for all users

Common Pitfalls

1. Blocking paste in password fields

<!-- Bad: prevents password managers from filling the field -->
<input type="password" onpaste="return false">

<!-- Bad: JavaScript prevention -->
<input type="password" id="pwd">
<script>
  document.getElementById('pwd').addEventListener('paste', (e) => {
    e.preventDefault();
  });
</script>

2. CAPTCHAs as the only authentication gate

<!-- Bad: distorted text CAPTCHA with no alternative -->
<img src="/captcha.png" alt="Type the characters you see">
<input type="text" name="captcha">

<!-- Bad: puzzle CAPTCHA with no alternative -->
<div class="puzzle-captcha">Drag the piece to complete the image</div>

3. Requiring users to re-type a code from another device

<!-- Bad: forces memorization and transcription -->
<p>Enter the 6-digit code shown on your authenticator app:</p>
<input type="text" name="totp" autocomplete="off">
<!-- Blocking autocomplete prevents password managers from helping -->

4. Custom login that breaks autocomplete

<!-- Bad: non-standard field names prevent browser autofill -->
<input type="text" name="usr_xf7" autocomplete="off">
<input type="password" name="pwd_xf7" autocomplete="off">

How to Fix

Allow paste in all password fields

<label for="password">Password</label>
<input
  id="password"
  type="password"
  name="password"
  autocomplete="current-password"
>
<!-- Do NOT add onpaste="return false" or any paste-prevention JavaScript -->

Use proper autocomplete attributes

<!-- Login form -->
<label for="username">Email</label>
<input id="username" type="email" name="email" autocomplete="username">

<label for="password">Password</label>
<input id="password" type="password" name="password" autocomplete="current-password">

<!-- Registration form -->
<label for="new-password">Create password</label>
<input id="new-password" type="password" name="password" autocomplete="new-password">

Provide alternative authentication methods

<form action="/login" method="post">
  <label for="email">Email</label>
  <input id="email" type="email" name="email" autocomplete="username">

  <label for="password">Password</label>
  <input id="password" type="password" name="password" autocomplete="current-password">

  <button type="submit">Sign in</button>
</form>

<hr>

<p>Or sign in with:</p>
<button onclick="loginWithGoogle()">Sign in with Google</button>
<button onclick="loginWithPasskey()">Sign in with Passkey</button>
<button onclick="sendMagicLink()">Email me a sign-in link</button>

If CAPTCHA is necessary, provide an accessible alternative

<!-- Provide an audio alternative or use an accessible CAPTCHA service -->
<div class="captcha">
  <img src="/captcha.png" alt="Type the characters you see">
  <input type="text" name="captcha" autocomplete="one-time-code">
  <button type="button" onclick="playAudioCaptcha()">
    Listen to an audio version
  </button>
</div>

How to Test

Navigate to the login and registration forms. Try pasting a password from a password manager into the password field. It must work.
Check that password fields have the correct autocomplete attribute (current-password for login, new-password for registration) so browser autofill and password managers work.
If a CAPTCHA is present, verify an accessible alternative exists (audio CAPTCHA, OAuth login, email magic link).
Verify the login flow can be completed entirely by keyboard without requiring a cognitive function test that has no alternative.
Pass: Passwords can be pasted, password managers work via proper autocomplete attributes, and any CAPTCHA has an accessible alternative.
Fail: Paste is blocked in password fields, autocomplete is set to "off," or a CAPTCHA exists with no accessible alternative.

axe-core Rules

This criterion cannot be reliably detected by automated tools. While autocomplete attribute issues can be partially flagged, the full criterion requires evaluating the authentication flow holistically.