Accessible Authentication (Minimum) (3.3.8)

Authentication steps must not require a cognitive function test (such as remembering a password, solving a puzzle, or recognizing images) unless an alternative method, an assistance mechanism, or an object-recognition exception applies.

WCAG Reference

Applies to: WCAG 2.2 Introduced in: WCAG 2.2 | Level: AA | Read the official specification →

What this rule checks

The scanner flags login flows that rely solely on cognitive challenges (CAPTCHAs, image puzzles, memory-based knowledge questions) without offering an accessible alternative.

Why it matters

Users with cognitive disabilities may not be able to solve puzzles, remember complex passwords, or complete CAPTCHAs. Authentication barriers lock these users out of services entirely.

Common failure patterns

image-based CAPTCHAs with no audio or alternative verification option
security questions that rely on memory ("What was your first pet's name?")
login flows that block password managers from auto-filling credentials
two-factor authentication that requires memorizing a code without allowing paste

Remediation guidance

allow password managers to auto-fill login fields (do not use autocomplete="off" on authentication fields)
provide an accessible CAPTCHA alternative (audio CAPTCHA, email verification, or WebAuthn)
support passwordless authentication (magic links, biometrics, passkeys)
allow pasting into verification code fields for users who receive codes via email or authenticator apps