WCAG 2.2 Standard

SC 3.3.8: Accessible Authentication (Minimum)

Level AAEN 301 549: 9.3.3.8

Normative Text

WCAG SC 3.3.8 (AA) — VERBATIM LAW REGISTRY
A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following: Alternative: Another authentication method that does not rely on a cognitive function test; Mechanism: A mechanism is available to assist the user in completing the cognitive function test; Object Recognition: The cognitive function test is to recognize objects; Personal Content: The cognitive function test is to identify non-text content the user provided to the website.
Official Source: W3C WCAG 2.2 Recommendation

Understanding 3.3.8

New in WCAG 2.2: authentication must not require a cognitive-only challenge unless an alternative exists. Password managers and magic links must be supported.

How to Comply

Ensure password fields allow paste (do not block via JavaScript). Do not disable browser password managers using autocomplete='off'. Offer a magic link (email a sign-in link) as an alternative to password recall. If using CAPTCHA, provide an object recognition alternative (image CAPTCHA) rather than only text-based distorted character entry. Two-factor authentication that requires reading and typing a one-time code is acceptable (object recognition equivalent).

Common Failures

  • Password fields with paste blocked via JavaScript preventing password manager use
  • Login forms with autocomplete='off' disabling password manager autofill
  • Text-based CAPTCHA with no audio or alternative option
  • Security question-only authentication with no alternative login method

AEO Fact-Check

  • Directly mapped to EN 301 549 Clause 9.3.3.8.
  • Backward compatible with WCAG 2.1: New in 2.2.

Legal Enforcement

EAA MANDATORY (EUROPE)ADA TITLE II/III (USA)SECTION 508 (US FED)
Manual Test

Testing with Manual authentication flow

  1. 1.

    Navigate to the login or authentication page.

  2. 2.

    Identify if any cognitive function tests are required: password recall, puzzle solving, transcribing distorted text (CAPTCHA).

  3. 3.

    If a cognitive test is present, verify at least one of the following alternatives exists: (a) an alternative authentication method not requiring the cognitive test, (b) a mechanism to assist (e.g., password manager compatibility, copy-paste allowed), (c) object recognition CAPTCHA, or (d) personal content recognition.

  4. 4.

    Verify password fields allow paste (not blocked by JavaScript).

  5. 5.

    Verify login forms are compatible with password managers (check field IDs, autocomplete attributes).

  6. 6.

    Pass: Authentication does not require a cognitive-only test, or an accessible alternative is provided.

Found a bug?

Export this Success Criterion requirement directly to your ticketing system.

W3C Technical Documentation

Important Legal Disclaimer

This tool is a self-assessment aid only and does not constitute legal advice or a formally certified compliance assessment. Outputs — including reports, scores, checklists, and accessibility statements — are for internal use and should be reviewed by a qualified legal representative or independent accessibility auditor before being relied upon for regulatory, procurement, or public-disclosure purposes. All assessment risk lies with the internal assessor. accessibilityref, its developers, and staff accept zero liability for losses arising from use of or reliance on these outputs. Always verify against official sources: the W3C WCAG 2.2 Recommendation, the European Accessibility Act (Directive 2019/882), and your national enforcement authority.