Standards · WCAG 2.2

SC 3.3.8 Level AA WCAG 2.2 New in 2.2

Accessible Authentication (Minimum)

Authentication must not require the user to solve a cognitive function test — remembering, transcribing, identifying objects — unless an alternative or a mechanism to assist is provided. Passwords, image CAPTCHAs, and copy-the-code-from-email flows are the common failures. New in WCAG 2.2.

What it asks

To authenticate, the user must not be required to perform a cognitive function test — recalling a password from memory, transcribing a code, identifying objects in images, solving a puzzle — unless one of the following is true:

  • Alternative: another authentication method that does not require a cognitive function test is available.
  • Mechanism: assistance is available to help the user complete the test (password manager autofill, copy-paste from a verification email).
  • Object recognition: the test only requires recognising objects, not solving a puzzle (this exception is narrow).
  • Personal content: the test only requires identifying non-text content the user has personally supplied (e.g. their own profile photo).

The intent is to make authentication possible for users with cognitive disabilities, memory impairments, dyslexia, and aphasia, who are systematically excluded by password-and-CAPTCHA-based flows.

How to meet it

  • Allow password managers: do not block paste into password fields, do not disable autofill, do not strip autocomplete="current-password" / autocomplete="new-password". This single change is often enough to satisfy the SC.
  • Support passkeys / WebAuthn: a biometric or device-bound credential bypasses the cognitive test entirely.
  • Support OAuth / social sign-in as an alternative path.
  • Magic links: email a one-click sign-in link instead of requiring password recall.
  • Email / SMS codes: ensure copy-paste works from the message into the field, and let the system auto-fill where the platform supports it (e.g. iOS SMS code autofill).
  • Avoid image CAPTCHAs (reCAPTCHA’s “click all the traffic lights”) unless a non-cognitive alternative is offered.
  • Allow show-password toggles: helps users with dyslexia or motor difficulties verify their input.

Common failures

  • Login forms that block paste into the password field — this single anti-pattern fails 3.3.8 outright for users dependent on password managers.
  • autocomplete="off" on password inputs, preventing browser and password-manager autofill.
  • Image-grid CAPTCHAs as the only verification step, with no audio or alternative.
  • Multi-factor flows that show a 6-digit code on one device and require the user to memorise and type it into another with no copy-paste possible.
  • Sign-in pages that require the user to identify which of nine images contains a specific object.
  • “Security question” flows that demand recall of obscure personal data (“name of first pet”) with no fallback.
  • Password rules that prohibit common patterns AND prohibit paste, forcing manual entry of an unmemorable string.
  • Authenticator-app codes with no auto-fill bridge and no copy support, requiring transcription within a 30-second window.

Why it matters

This is the flagship new WCAG 2.2 criterion and the one most likely to force product changes at large companies. Cognitive disabilities affect more than 1 in 10 adults, and the “remember this password” model has always failed them — the SC formalises that failure as a conformance issue.

The most common compliance path is also the cheapest: allow paste, allow autocomplete, support passkeys, support magic links. Many existing sign-in pages can become 3.3.8-compliant with the removal of three lines of anti-paste code. CAPTCHA replacements are the harder problem — modern alternatives include device-based risk scoring (Cloudflare Turnstile, hCaptcha invisible mode) and behavioural analysis, both of which bypass the cognitive test for most users.

Expect 3.3.8 to dominate 2.2 audit findings for the next several years.