Accessible Authentication (Minimum)

What it requires

The criterion covers authenticating an existing user. It does not govern account creation or choosing a username (Source: W3C, Understanding SC 3.3.8 ) .

What counts as a cognitive function test

W3C defines it as a task that requires the user to remember, manipulate, or transcribe information. Examples include:

• Memorizing a username, password, set of characters, image, or pattern.
• Transcribing characters (typing in a code you have to read and copy by hand).
• Spelling correctly, performing calculations, or solving a puzzle.

Importantly, name, email, and phone number are not cognitive function tests, because they are personal to the user and consistent across sites.

Who it helps

People with cognitive disabilities affecting memory, reading (such as dyslexia), numeracy (such as dyscalculia), or processing. Memorizing a username and password, transcribing a one-time code, or solving a CAPTCHA can place a very high or impossible burden on them.

The evidence is stark for one common barrier: in WebAIM’s screen reader user survey, CAPTCHA was ranked the single most problematic item on the web, and more than 90 percent of respondents found CAPTCHA very or somewhat difficult (Source: WebAIM Screen Reader User Survey #10 ) .

How to meet it

The reliable approach is to let credentials be filled or pasted rather than recalled and transcribed, or to offer a method with no cognitive test at all:

• Support password managers (the Mechanism path). Give fields proper accessible names and input-purpose autocomplete so browsers and password managers can recognize and autofill them. Do not script-block autofill, and do not disable copy and paste on the username or password fields.
• Allow one-time codes to be pasted or auto-filled. Requiring manual transcription of a 2FA code is not compliant.
• Offer a non-cognitive method: passkeys or WebAuthn (device biometrics or PIN), federated sign-in such as OAuth, an email magic link (technique G218), or a hardware security key.

The four exceptions

A step that does involve a cognitive function test still conforms if it provides any one of these:

1. Alternative. Another authentication method that has no cognitive function test.
2. Mechanism. An available aid that helps complete the test — allowing a password manager to autofill, or allowing paste, is the canonical example.
3. Object Recognition. The test is only to recognize objects (for example, “select the images with a car”). Allowed at AA, but W3C says it should be avoided.
4. Personal Content. The test is to identify non-text content the user previously provided (for example, a photo they uploaded). Text-based personal content does not qualify, because it relies on recall and transcription.

The Object Recognition and Personal Content exceptions are exactly what the AAA version removes — see below.

Common failures

• Blocking paste on a password or code field.
• Scripts that prevent autofill.
• Requiring re-entry in a different format (for example, “enter the 1st, 3rd, and 5th characters of your password”).
• A CAPTCHA whose only path is transcription, with no cognitive-test-free alternative.

These are captured by failure F109 (Source: W3C Failure F109 ) .

How to test it

1. For each step of the login and account-recovery flow, ask: does it require the user to remember, manipulate, or transcribe information?
2. If yes, confirm at least one exception is satisfied: an alternative method exists, a mechanism assists (autofill and paste enabled), it is object recognition, or it is personal content.
3. Specifically verify that password fields allow autofill and paste, and that 2FA fields accept pasted codes.

The AAA version (3.3.9)

3.3.9 Accessible Authentication (Enhanced), AAA is identical to 3.3.8 but removes the Object Recognition and Personal Content exceptions. That means image-recognition CAPTCHAs and “pick the photo you uploaded” challenges, which pass at AA, fail at AAA. Only the Alternative and Mechanism paths remain.

Common questions