WCAG 3.3.8 Accessible Authentication: No Cognitive Function Tests
Last updated: 2026-03-22
What This Criterion Requires
WCAG 3.3.8 Accessible Authentication (Minimum) is a new criterion introduced in WCAG 2.2 at Level AA. It requires that a cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless an alternative method is provided that does not rely on a cognitive function test, a mechanism is available to assist the user in completing the cognitive function test (such as allowing password managers to fill in passwords via copy-paste), or the cognitive function test is to recognize objects or identify non-text content the user provided. This criterion does not prohibit passwords, but it requires that the authentication process allows users to paste passwords from password managers, use autofill, or employ an alternative authentication method. CAPTCHAs that require solving puzzles or transcribing text are barriers unless an alternative is available. Two-factor authentication codes that must be memorized or transcribed from one device to another are also covered. The key principle is that users should not need to rely on memory, transcription, or puzzle-solving without assistance mechanisms or alternatives.
Why It Matters
Cognitive function tests in authentication create significant barriers for people with cognitive disabilities, memory impairments, and learning disabilities. Users with short-term memory impairments may be unable to memorize one-time codes or remember complex passwords without a password manager. People with dyslexia may struggle to accurately transcribe codes or solve text-based CAPTCHAs. Users with intellectual disabilities may not be able to solve puzzle-based authentication challenges. Older adults experiencing cognitive decline may find complex authentication procedures impossible to complete. When websites prevent password managers from functioning by disabling paste in password fields, or when they require users to transcribe a code displayed on a separate device, they force users to rely on cognitive abilities they may not have. This can lock users out of essential services including banking, healthcare, and government portals. By allowing password managers to work, supporting autofill, providing alternative authentication methods like biometric login or magic links, and avoiding unnecessary CAPTCHAs, websites ensure that authentication is accessible to the broadest range of users.
Common Failures and How to Fix Them
Password field blocks paste from password managers
A login form prevents users from pasting passwords into the password field using JavaScript, breaking password manager functionality and forcing users to manually type complex passwords from memory.
<form action="/login" method="post">
<label for="username">Username</label>
<input type="text" id="username" name="username">
<label for="password">Password</label>
<input type="password" id="password" name="password"
onpaste="return false;"
oncopy="return false;"
autocomplete="off">
<button type="submit">Log In</button>
</form><form action="/login" method="post">
<label for="username">Username</label>
<input type="text" id="username" name="username"
autocomplete="username">
<label for="password">Password</label>
<input type="password" id="password" name="password"
autocomplete="current-password">
<button type="submit">Log In</button>
</form>CAPTCHA puzzle with no accessible alternative
The authentication flow includes a visual puzzle CAPTCHA that requires cognitive function to solve and provides no accessible alternative such as an audio CAPTCHA or email verification.
<form action="/login" method="post">
<label for="user">Email</label>
<input type="email" id="user" name="email">
<label for="pass">Password</label>
<input type="password" id="pass" name="password">
<!-- Puzzle CAPTCHA with no alternative -->
<div class="captcha">
<p>Drag the puzzle piece to the correct position to verify you are human.</p>
<canvas id="puzzle-captcha"></canvas>
</div>
<button type="submit">Log In</button>
</form><form action="/login" method="post">
<label for="user">Email</label>
<input type="email" id="user" name="email" autocomplete="username">
<label for="pass">Password</label>
<input type="password" id="pass" name="password"
autocomplete="current-password">
<!-- Invisible reCAPTCHA or turnstile that does not require
user interaction in most cases -->
<div class="cf-turnstile" data-sitekey="your-site-key"></div>
<!-- Alternative: email verification link option -->
<p>Having trouble? <a href="/login/email-link">Sign in with a
magic link sent to your email</a></p>
<button type="submit">Log In</button>
</form>How to Test
- Attempt to log in using a password manager and verify that the password field accepts auto-filled or pasted passwords without blocking them.
- Check that the password field uses autocomplete="current-password" (or "new-password" for registration) to enable browser and password manager autofill.
- If a CAPTCHA is present, verify that an accessible alternative is available that does not require solving a visual puzzle or transcribing distorted text.
- Test two-factor authentication flows to ensure users can paste or autofill verification codes rather than being forced to memorize and re-type them.
CMS-Specific Guidance
This criterion commonly causes issues on these platforms:
- Wordpress Accessibility Checklist
- Shopify Accessibility Checklist
- Drupal Accessibility Checklist
- Joomla Accessibility Checklist
- Magento Accessibility Checklist
- Bigcommerce Accessibility Checklist
Further Reading
Related WCAG Criteria
Get our free accessibility toolkit
We're building a simple accessibility checker for non-developers. Join the waitlist for early access and a free EAA compliance checklist.
No spam. Unsubscribe anytime.