Understandable / 3.3 Input Assistance

3.3.8Accessible Authentication (Minimum)

Level AANew in 2.2

Do not require cognitive function tests such as memorization or puzzles as the sole authentication method. Allow alternatives like password managers and copy-paste.

New success criterion added in WCAG 2.2

This criterion was introduced in WCAG 2.2 and was not part of WCAG 2.1. Refer to the links below for detailed guidance.

Why is "Accessible Authentication" needed?

Login screens exist in nearly every web service. Yet their design can sometimesprevent certain users from accessing the service at all.

The main problem is reliance on "cognitive function tests."A cognitive function test is any mechanism that requires users to memorize, transcribe, calculate, or decipher information. The prime examples are memorizing passwords and CAPTCHA (transcribing characters from an image).

  • People with dyslexia take significantly longer to visually read random character strings.
  • People with short-term memory difficulties (post-stroke, dementia, ADHD, etc.) make repeated errors when transcribing from screen to another field.
  • People with visual impairments simply cannot read CAPTCHA images that lack alternative text.

WCAG 2.2 Success Criterion 3.3.8 requires "at least one authentication method that does not rely on a cognitive test."In practice, this means: don't block password pasting, don't interfere with password managers, allow pasting email OTPs, and offer passkeys as alternatives.

Note

"Object recognition (select photos with cats)" and "personal information verification (your own birthday)" are not subject to this criterion. Only tests that requirememorization, transcription, calculation, or deciphering are in scope.

Failing Example (Paste Blocked + Memorization/Transcription)

In the form below, pasting into the password field is blocked. Additionally, login requires a cognitive test (CAPTCHA) where you must read and transcribe characters from an image. Even if you use a password manager, you cannot paste.

Fail: Paste blocked + transcription-required authentication

Read the characters below and enter them (required):

* In this demo, enter "M7xQ2" to pass

Try it: copy something and try to paste it into the password field — it's blocked. You must also transcribe the image characters to log in.

Passing Example (Paste Allowed, Auto-fill, Passkey)

In the form below, pasting into the password field is allowed, andautocomplete="current-password" enables password manager auto-fill. There is no cognitive test; instead, you can paste a one-time code from emailor choose to sign in with a passkey (biometric authentication).

Pass: Paste allowed, auto-fill supported, passkey option available

Try it: you can paste text into the password field. The OTP field also allows pasting. Try the passkey button too.

Tip

autocomplete="current-password" helps browsers and password managers recognize the field for auto-fill. autocomplete="one-time-code" hints the OS to auto-fill SMS or email one-time codes. Both eliminate the memorization and transcription burden entirely.

Implementation (Code)

Good / Recommended

Don't block pasting, set autocomplete correctly, and provide alternative authentication. These three points are sufficient to meet the criterion.

<!-- ✅ Password manager friendly, paste allowed -->
<form method="post" action="/login">
  <div class="field">
    <label for="login-email">Email</label>
    <input
      type="email"
      id="login-email"
      name="email"
      autocomplete="username"
      required
    />
  </div>

  <div class="field">
    <label for="login-password">Password</label>
    <!-- No onpaste handler → paste and password managers work -->
    <input
      type="password"
      id="login-password"
      name="password"
      autocomplete="current-password"
      required
    />
  </div>

  <!-- Alternative ①: Email OTP (pasteable, autocomplete-supported) -->
  <div class="field">
    <label for="otp-code">Verification code (you can paste it from email)</label>
    <input
      type="text"
      id="otp-code"
      name="otp"
      inputmode="numeric"
      autocomplete="one-time-code"
    />
  </div>

  <button type="submit">Sign In</button>
</form>

<!-- Alternative ②: Passkey / biometric authentication (no memorization needed) -->
<button type="button" id="passkey-btn">
  Sign in with Passkey (Touch ID / Face ID)
</button>

Bad / Avoid

Implementations to avoid and why:

  • onpaste="return false" / addEventListener('paste', e => e.preventDefault())— Blocking password pasting disables password managers, forcing memorization and manual entry.
  • Making CAPTCHA (image/audio transcription) the only gateway— Without alternatives, users with dyslexia or memory difficulties are locked out.
  • Setting autocomplete="off" on password fields— This interferes with password manager auto-fill. Rarely necessary even for security.
  • Embedding puzzles or math problems in the authentication step— Login screens should be usable regardless of cognitive function differences.
<!-- ❌ Paste blocked + cognitive test required -->
<form>
  <label for="password">Password</label>
  <!-- onpaste="return false" blocks all pasting -->
  <input
    type="password"
    id="password"
    name="password"
    onpaste="return false"
  />

  <!-- Cognitive test: read and transcribe an image -->
  <p>Read the characters in the image below and enter them:</p>
  <img src="/captcha.png" alt="">
  <!-- alt="" → screen readers cannot read the content at all -->
  <label for="captcha">Character verification (required)</label>
  <input type="text" id="captcha" autocomplete="off" />

  <button type="submit">Sign In</button>
</form>

Practical Ways to Avoid Cognitive Tests

Adopt one or more of the following combinations to satisfy WCAG 3.3.8.

Allow password copy & paste
Don't cancel onpaste events or block pasting via JavaScript. Keep fields in a state where password managers can auto-fill.
Set autocomplete attributes correctly
Use autocomplete="current-password" for password fields,autocomplete="new-password" for registration fields, andautocomplete="username" for email fields. This enables browsers, the OS, and password managers to recognize fields accurately.
Allow pasting email/SMS one-time codes (OTP)
Add autocomplete="one-time-code" to OTP input fields. iOS and Android will auto-suggest codes from email/SMS, eliminating transcription. Don't block pasting either.
Offer passkeys / biometric authentication as an alternative
Passkeys via WebAuthn API (navigator.credentials.get()) require no password or CAPTCHA. Users authenticate with Touch ID, Face ID, or PIN, completely eliminating the memorization and transcription burden.
Object recognition (selecting from photos) is conditionally acceptable
"Click the images with cats"-style CAPTCHAs are not subject to this criterion. However, image recognition without alt text violates 1.1.1. The key benefit is that transcribing English characters is not required.

Checklist

  • The onpaste event is not cancelled on password fields
  • JavaScript paste event listeners do not block pasting either
  • Password fields have autocomplete="current-password" (or new-password)
  • OTP fields (if present) have autocomplete="one-time-code"
  • Email fields have autocomplete="username"
  • CAPTCHA is not the sole authentication method; alternatives exist
  • Password managers (1Password, Bitwarden, etc.) can recognize the fields — verified
  • At least one of passkey, biometric authentication, or email OTP is provided as an alternative (ideal)

Normative References