Understandable / 3.3 Input Assistance
3.3.8Accessible Authentication (Minimum)
Level AANew in 2.2Do not require cognitive function tests such as memorization or puzzles as the sole authentication method. Allow alternatives like password managers and copy-paste.
New success criterion added in WCAG 2.2
This criterion was introduced in WCAG 2.2 and was not part of WCAG 2.1. Refer to the links below for detailed guidance.
Why is "Accessible Authentication" needed?
Login screens exist in nearly every web service. Yet their design can sometimesprevent certain users from accessing the service at all.
The main problem is reliance on "cognitive function tests."A cognitive function test is any mechanism that requires users to memorize, transcribe, calculate, or decipher information. The prime examples are memorizing passwords and CAPTCHA (transcribing characters from an image).
- People with dyslexia take significantly longer to visually read random character strings.
- People with short-term memory difficulties (post-stroke, dementia, ADHD, etc.) make repeated errors when transcribing from screen to another field.
- People with visual impairments simply cannot read CAPTCHA images that lack alternative text.
WCAG 2.2 Success Criterion 3.3.8 requires "at least one authentication method that does not rely on a cognitive test."In practice, this means: don't block password pasting, don't interfere with password managers, allow pasting email OTPs, and offer passkeys as alternatives.
Note
"Object recognition (select photos with cats)" and "personal information verification (your own birthday)" are not subject to this criterion. Only tests that requirememorization, transcription, calculation, or deciphering are in scope.
Failing Example (Paste Blocked + Memorization/Transcription)
In the form below, pasting into the password field is blocked. Additionally, login requires a cognitive test (CAPTCHA) where you must read and transcribe characters from an image. Even if you use a password manager, you cannot paste.
Try it: copy something and try to paste it into the password field — it's blocked. You must also transcribe the image characters to log in.
Passing Example (Paste Allowed, Auto-fill, Passkey)
In the form below, pasting into the password field is allowed, andautocomplete="current-password" enables password manager auto-fill. There is no cognitive test; instead, you can paste a one-time code from emailor choose to sign in with a passkey (biometric authentication).
Try it: you can paste text into the password field. The OTP field also allows pasting. Try the passkey button too.
Tip
autocomplete="current-password" helps browsers and password managers recognize the field for auto-fill. autocomplete="one-time-code" hints the OS to auto-fill SMS or email one-time codes. Both eliminate the memorization and transcription burden entirely.
Implementation (Code)
Good / Recommended
Don't block pasting, set autocomplete correctly, and provide alternative authentication. These three points are sufficient to meet the criterion.
<!-- ✅ Password manager friendly, paste allowed -->
<form method="post" action="/login">
<div class="field">
<label for="login-email">Email</label>
<input
type="email"
id="login-email"
name="email"
autocomplete="username"
required
/>
</div>
<div class="field">
<label for="login-password">Password</label>
<!-- No onpaste handler → paste and password managers work -->
<input
type="password"
id="login-password"
name="password"
autocomplete="current-password"
required
/>
</div>
<!-- Alternative ①: Email OTP (pasteable, autocomplete-supported) -->
<div class="field">
<label for="otp-code">Verification code (you can paste it from email)</label>
<input
type="text"
id="otp-code"
name="otp"
inputmode="numeric"
autocomplete="one-time-code"
/>
</div>
<button type="submit">Sign In</button>
</form>
<!-- Alternative ②: Passkey / biometric authentication (no memorization needed) -->
<button type="button" id="passkey-btn">
Sign in with Passkey (Touch ID / Face ID)
</button>Bad / Avoid
Implementations to avoid and why:
onpaste="return false"/addEventListener('paste', e => e.preventDefault())— Blocking password pasting disables password managers, forcing memorization and manual entry.- Making CAPTCHA (image/audio transcription) the only gateway— Without alternatives, users with dyslexia or memory difficulties are locked out.
- Setting
autocomplete="off"on password fields— This interferes with password manager auto-fill. Rarely necessary even for security. - Embedding puzzles or math problems in the authentication step— Login screens should be usable regardless of cognitive function differences.
<!-- ❌ Paste blocked + cognitive test required -->
<form>
<label for="password">Password</label>
<!-- onpaste="return false" blocks all pasting -->
<input
type="password"
id="password"
name="password"
onpaste="return false"
/>
<!-- Cognitive test: read and transcribe an image -->
<p>Read the characters in the image below and enter them:</p>
<img src="/captcha.png" alt="">
<!-- alt="" → screen readers cannot read the content at all -->
<label for="captcha">Character verification (required)</label>
<input type="text" id="captcha" autocomplete="off" />
<button type="submit">Sign In</button>
</form>Practical Ways to Avoid Cognitive Tests
Adopt one or more of the following combinations to satisfy WCAG 3.3.8.
- Allow password copy & paste
- Don't cancel
onpasteevents or block pasting via JavaScript. Keep fields in a state where password managers can auto-fill. - Set
autocompleteattributes correctly - Use
autocomplete="current-password"for password fields,autocomplete="new-password"for registration fields, andautocomplete="username"for email fields. This enables browsers, the OS, and password managers to recognize fields accurately. - Allow pasting email/SMS one-time codes (OTP)
- Add
autocomplete="one-time-code"to OTP input fields. iOS and Android will auto-suggest codes from email/SMS, eliminating transcription. Don't block pasting either. - Offer passkeys / biometric authentication as an alternative
- Passkeys via WebAuthn API (
navigator.credentials.get()) require no password or CAPTCHA. Users authenticate with Touch ID, Face ID, or PIN, completely eliminating the memorization and transcription burden. - Object recognition (selecting from photos) is conditionally acceptable
- "Click the images with cats"-style CAPTCHAs are not subject to this criterion. However, image recognition without alt text violates 1.1.1. The key benefit is that transcribing English characters is not required.
Checklist
- The
onpasteevent is not cancelled on password fields - JavaScript
pasteevent listeners do not block pasting either - Password fields have
autocomplete="current-password"(ornew-password) - OTP fields (if present) have
autocomplete="one-time-code" - Email fields have
autocomplete="username" - CAPTCHA is not the sole authentication method; alternatives exist
- Password managers (1Password, Bitwarden, etc.) can recognize the fields — verified
- At least one of passkey, biometric authentication, or email OTP is provided as an alternative (ideal)
Normative References
- Success Criterion 3.3.8 Accessible Authentication (Minimum) — WCAG 2.2(opens in a new tab)The normative requirement text.
- Understanding Accessible Authentication (Minimum) — W3C(opens in a new tab)Official guidance on intent, examples, and techniques.