// guide

Accessible Authentication: WCAG 3.3.8 and Passwordless Login

Logging in is where many people with cognitive disabilities get stuck — memorizing passwords, transcribing codes, and solving CAPTCHAs are all cognitive function tests. This guide covers WCAG 3.3.8, why blocking paste and password managers fails it, and how passkeys, magic links, and proper autocomplete make authentication both accessible and more secure.

intermediate forms

// 01 · why authentication locks people out

Why Authentication Locks People Out

For a lot of users, the login screen is the hardest part of a website — harder than anything they came to do. Remembering a unique password, reading a distorted CAPTCHA, or copying a six-digit code from one app to another all lean on memory, attention, and processing that people with cognitive and learning disabilities may not be able to rely on. When they cannot get past the login, everything behind it is inaccessible, no matter how well built.

WCAG 2.2 addressed this directly with a new requirement aimed at the login process itself. The principle: authentication should verify who you are, not how good your memory is. Meeting it happens to push you toward methods — password managers, passkeys, magic links — that are also more secure, so accessibility and security pull in the same direction here.

// 02 · what wcag requires

What WCAG Requires

Two authentication criteria arrived in WCAG 2.2, plus a related one about not re-entering information.

Criterion Level Requires
3.3.8 Accessible Authentication (Minimum) AA No cognitive function test required to log in, unless there's an alternative, an assistive mechanism, or the test is object/personal-content recognition
3.3.9 Accessible Authentication (Enhanced) AAA Same as 3.3.8, but the object-recognition and personal-content exceptions are removed
3.3.7 Redundant Entry A Don't make users re-enter information they already provided in the same process — auto-populate it or let them select it
What "cognitive function test" means A cognitive function test is any step that requires you to remember, manipulate, or transcribe information — recalling a password, solving a puzzle, doing arithmetic, or copying characters from an image or a text message. These are exactly the tasks that fail people with cognitive disabilities.

// 03 · how a login can still pass

How a Login Can Still Pass

3.3.8 does not ban passwords. A step that is a cognitive function test still passes if it offers at least one of these:

  • An alternative that is not a cognitive function test — for example, a "sign in with a passkey" or "email me a login link" option beside the password form.
  • A mechanism to assist — most commonly, letting a password manager fill and submit the credential. This is why supporting password managers (and never blocking paste) is the usual way password logins stay compliant.
  • Object recognition — asking the user to identify common objects (this is the exception CAPTCHAs sometimes lean on; note it is removed at AAA).
  • Personal content — recognizing non-text content the user themselves provided to the site.
The pragmatic reading For a typical password login, the realistic path to passing is: allow password managers to work (don't block paste, use the right autocomplete attributes) and ideally offer a passwordless alternative. Do both and you are comfortably clear of 3.3.8 — and closing in on the AAA version too.

// 04 · support password managers and paste

Support Password Managers and Paste

The single most common way sites fail 3.3.8 is by fighting the tools that make passwords manageable. Two rules cover most of it: never block paste, and mark up fields so managers and browsers recognize them.

An autofill-friendly login form
<form action="/login" method="post">
  <label for="email">Email</label>
  <input id="email" name="email" type="email"
         autocomplete="username" autocapitalize="none">

  <label for="password">Password</label>
  <input id="password" name="password" type="password"
         autocomplete="current-password">

  <button type="submit">Sign in</button>
</form>

<!-- One-time code field: let the browser fill it from SMS -->
<input name="otp" type="text" inputmode="numeric"
       autocomplete="one-time-code">

The right autocomplete tokens do a lot of work: username on the identifier, current-password on the login password (new-password on sign-up and change forms), and one-time-code on OTP fields so mobile browsers offer the code straight from the SMS. These reduce typing and memory load for everyone, not just users with disabilities.

Never do these Do not disable paste (onpaste="return false"), do not use autocomplete="off" on credential fields, and do not split a code into separate one-character boxes that break autofill and force manual transcription. Each of these defeats the assistive mechanism and turns your login back into a cognitive function test.

// 05 · passwordless methods

Passwordless Methods

The cleanest way to satisfy accessible authentication is to remove the memory test entirely. Passwordless methods carry no cognitive load and are, as a bonus, more resistant to phishing and credential theft.

Method How the user authenticates Why it's accessible
Passkeys (WebAuthn / FIDO2) Device unlock — biometric, PIN, or security key Nothing to remember or transcribe; passes AA and AAA
Email magic links Click a one-time link sent to their inbox No password recall; the "memory" is delegated to email
OAuth / social sign-in Authenticate through an existing provider Reuses a session the user is already signed into
Email/SMS one-time code Enter a code — but allow paste & autofill Only accessible if the code can be pasted or auto-filled

Passkeys are the strongest option on both axes — accessibility and security — and are now widely supported across browsers and platforms. Offer them as the primary path where you can, with a magic link or an autofill-friendly password form as the fallback. A one-time code is fine provided it can be pasted or auto-filled; the moment you split it into single-character boxes or block paste, it becomes a transcription test again.

// 06 · captchas and accessibility

CAPTCHAs and Accessibility

The classic CAPTCHA — transcribe the wavy text, pick the traffic lights, solve the puzzle — is a cognitive function test by definition, and often a visual one too, so it can fail multiple criteria at once. On its own, a puzzle CAPTCHA does not meet 3.3.8.

The better direction is to stop asking the user to prove they are human at all, and detect bots invisibly instead:

  • Invisible / behavioral checks that score risk from interaction signals without a challenge.
  • Honeypot fields — hidden inputs that only bots fill — which cost legitimate users nothing.
  • Device or token-based verification that runs in the background.
  • Rate limiting and server-side heuristics that never touch the user at all.
If you must use a challenge, provide an alternative Object-recognition CAPTCHAs can technically pass 3.3.8 at AA — but the recognition exception is removed at AAA, and image challenges still exclude blind users unless there is an accessible alternative. Prefer invisible bot detection; if a visible challenge is unavoidable, always offer a non-cognitive alternative path.

// 07 · common mistakes

Common Mistakes

  • Blocking paste on password or code fields. The most direct 3.3.8 failure — it forces manual transcription. Remove it.
  • autocomplete="off" on credentials. Stops managers and browsers from filling; use the correct tokens instead.
  • Split one-time-code inputs. Separate single-character boxes look tidy but break autofill and force character-by-character copying.
  • Puzzle CAPTCHAs with no alternative. A cognitive (and often visual) test with no accessible path.
  • Re-asking for known data. Making users retype an email or address they already entered in the same flow fails 3.3.7 — pre-fill or let them pick it.
  • Forcing frequent re-authentication. Short sessions that demand the whole login dance repeatedly multiply the barrier. Keep sessions reasonable and remember trusted devices.
Where this fits Authentication is a forms problem at heart — build the login on the accessible forms pattern with proper labels and error handling, and verify it end to end with the developer checklist. For the full standard, see the WCAG 2.2 overview.

Frequently asked questions

What is WCAG 3.3.8 Accessible Authentication?

3.3.8 Accessible Authentication (Minimum) is a Level AA criterion added in WCAG 2.2. It says a cognitive function test — remembering a password, solving a puzzle, transcribing characters — must not be required for any step of logging in, unless that step offers an alternative, a mechanism to help (like allowing a password manager), or the test is recognizing objects or content the user provided. In plain terms: do not force people to rely on memory or puzzle-solving to authenticate.

Is blocking paste in the password field an accessibility failure?

Yes. Disabling paste (onpaste="return false") or otherwise breaking password-manager autofill forces users to remember and manually type their credentials — exactly the cognitive function test 3.3.8 prohibits. Password managers are the mechanism to assist that lets a password-based login pass the criterion, so anything that defeats them fails it. Never block paste on any field, and especially not on passwords or one-time codes.

Are CAPTCHAs a WCAG violation?

A CAPTCHA that makes you transcribe distorted text, solve a puzzle, or identify images is a cognitive function test, so on its own it fails 3.3.8. It can still pass if an accessible alternative is offered — but the more accessible path is to drop puzzle CAPTCHAs entirely in favor of invisible, behavior-based bot detection, honeypot fields, or device-based checks that ask nothing of the user. If you must use a challenge, always provide a non-cognitive alternative.

Do passkeys satisfy accessible authentication?

Yes. Passkeys (built on WebAuthn/FIDO2) authenticate with a device unlock — biometrics, a PIN, or a security key — so there is nothing to memorize or transcribe. Because they impose no cognitive function test, they satisfy 3.3.8 and even the stricter AAA 3.3.9, while also being phishing-resistant. Passwordless methods like passkeys and email magic links are the most accessible and the most secure direction for login.

Which autocomplete values help make login forms accessible?

Use autocomplete="username" on the username/email field, autocomplete="current-password" on the login password (and new-password on sign-up/change), and autocomplete="one-time-code" on OTP fields so mobile browsers can auto-fill codes from SMS. These attributes let browsers and password managers fill credentials automatically — the assistive mechanism that keeps a password login compliant — and reduce typing for everyone.