Accessible Authentication (WCAG 3.3.8)

Key takeaways

WCAG 3.3.8 (AA) prohibits cognitive function tests — transcription, recall, mental calculation — as the only way to complete any authentication step; passkeys, magic links, and paste-enabled OTP are all compliant paths.
Disabling clipboard paste in password or OTP fields removes the primary assistive mechanism and is a direct Level AA failure when no alternative authentication path exists.
The autocomplete="one-time-code" attribute on OTP inputs enables OS-level autofill from SMS, eliminating the need to manually transcribe codes and fully satisfying 3.3.8.
3.3.8 applies to every step in the authentication lifecycle — 2FA, step-up auth, and account recovery are as in-scope as the primary login screen.
Automated scanners cannot detect most 3.3.8 failures; manual testing with a password manager and assistive technology is essential to close the gap.

The full lesson

The login screen is the most important place to get accessibility right. If someone can’t pass it, they’re locked out of everything behind it.

WCAG 2.2 added Success Criterion 3.3.8 — Accessible Authentication (Minimum) — precisely because cognitive tests, paste-blocking fields, and inaccessible CAPTCHAs had become common barriers that standard audits rarely caught.

What WCAG 3.3.8 Actually Says

3.3.8 is a Level AA criterion. That means it sits at the legal compliance baseline for most jurisdictions — the EU Accessibility Act, EN 301 549, and Section 508 all require AA conformance.

The criterion says:

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of: an alternative authentication method that does not rely on a cognitive function test; a mechanism is available to assist the user in completing the cognitive function test.

Three concepts do most of the work.

Cognitive function test means any task that requires a user to remember something, transcribe something, or do a mental calculation. A distorted-text CAPTCHA is the clearest example. So is a security challenge like “What was your first pet’s name?” that requires unaided recall. Importantly, typing a password with the help of a password manager or paste is NOT a cognitive function test — the tool removes the need for unaided memory.

Alternative method means another path through authentication that skips the cognitive test entirely. A site that uses a visual CAPTCHA but also offers a phone call or magic-link alternative satisfies 3.3.8 at AA, because neither alternative demands transcription or recall.

Assistive mechanism means the interface actively helps the user complete the test — copy-paste being the main example. An OTP code the user can paste from their clipboard, or a password field that allows autofill, qualifies.

The companion criterion, 3.3.9 (Accessible Authentication Enhanced, AAA), raises the bar further. It prohibits all cognitive function tests — including image-based challenges like “click all the traffic lights” — even when alternatives exist. AAA is not a legal requirement in most contexts, but it represents the gold standard for genuinely inclusive authentication.

Why This Criterion Emerged

Before WCAG 2.2, accessibility audits routinely passed login pages that were deeply hostile to users with cognitive disabilities, memory impairments, or those who rely on assistive technology. Three antipatterns drove the creation of 3.3.8:

CAPTCHAs with no accessible alternative. Visual CAPTCHAs require users to transcribe distorted text. They offer no real accommodation for users with dyslexia, low vision, or cognitive processing differences. Audio CAPTCHAs (which comply at AA) are hard to hear in noisy environments and are often cracked by bots anyway — undermining the security argument entirely.
Paste-blocking in password fields. Many enterprise and banking products disabled clipboard paste in password and OTP fields, claiming it was a security measure. NIST SP 800-63B had already recommended allowing paste since 2017. Paste encourages long, complex, unique passwords stored in password managers. Blocking it forces users to type passwords manually, which leads to shorter, weaker passwords — and shuts out users who rely on password managers as their primary assistive tool.
Security question recall. “What city were you born in?” asked during account recovery is a cognitive function test. Users with amnesia, dementia, or simply poor autobiographical memory are disproportionately failed by this pattern. Passkeys, email verification, and hardware tokens are all more accessible alternatives.

The Compliance Matrix: What Passes and What Fails

This table maps common authentication patterns to their 3.3.8 status:

Authentication Pattern	3.3.8 AA	3.3.9 AAA	Notes
Passkey / WebAuthn	Pass	Pass	No cognitive test at all
Magic link (email)	Pass	Pass	Single click, no transcription
Biometric (fingerprint, face)	Pass	Pass	No cognitive test
Password + paste/autofill enabled	Pass	Pass	Mechanism assists completion
SMS OTP with `autocomplete="one-time-code"`	Pass	Pass	Browser/OS auto-suggests code
SMS OTP — paste enabled, no autocomplete	Pass	Pass	Copy-paste is the mechanism
Visual CAPTCHA + audio alternative	Pass	Fail	Audio alt satisfies AA; AAA requires no CAPTCHA
Visual CAPTCHA + magic link alternative	Pass	Pass	Alternative avoids test entirely
Password + paste disabled (no alt path)	Fail	Fail	Removes the only assistive mechanism
Text-distortion CAPTCHA, no alternative	Fail	Fail	Cognitive test with no workaround
Image object recognition (click traffic lights)	Fail	Fail	Even with alt at AAA; at AA, needs alternative
Security question recall, no alternative	Fail	Fail	Pure memory-based cognitive test

Designing Compliant Authentication Flows

Passkeys: the highest-compliance path

Passkeys (the consumer-facing name for FIDO2/WebAuthn credentials) are the most accessible authentication method available today. They:

Require no memorization — the credential lives on the device or in a synced password manager
Require no transcription — the user authenticates with a biometric or device PIN
Are phishing-resistant by design
Are supported natively in iOS 16+, Android 9+, macOS Ventura+, Windows 11+, Chrome 108+, and Safari 16+

Passkey adoption is accelerating in 2026. If you are designing a new authentication flow or rebuilding an existing one, passkeys should be the primary path.

OTP fields and autocomplete

When SMS or email OTP is part of your flow, two practices together eliminate the cognitive test:

<input
  type="text"
  inputmode="numeric"
  autocomplete="one-time-code"
  pattern="[0-9]*"
  aria-label="One-time passcode"
  aria-describedby="otp-help"
/>

The autocomplete="one-time-code" value tells iOS, Android, and modern browsers to suggest an autofill option when an OTP arrives by SMS. The user taps one button — no transcription needed.

Never split OTP into six separate single-digit inputs without binding the first field’s autocomplete="one-time-code". The browser suggestion only triggers when it can insert the full code in a single action.

Paste must also work. Test it yourself: copy a code manually and paste it. If any JavaScript listener strips or blocks the paste, remove it.

Password fields

Most existing password implementations only need two changes:

Remove any onpaste handlers that call event.preventDefault() on password or confirm-password fields.
Set autocomplete="current-password" on login fields and autocomplete="new-password" on registration fields — both enable password manager autofill.

<!-- Login -->
<input type="password" autocomplete="current-password" />

<!-- Registration -->
<input type="password" autocomplete="new-password" />
<input type="password" autocomplete="new-password" aria-label="Confirm password" />

Password strength meters, show/hide toggles, and inline validation on blur are all compatible with 3.3.8. They also help satisfy other criteria (3.3.1, 3.3.3), so they’re worth adding.

CAPTCHA: replace or complement

If you currently use a visual CAPTCHA with no alternative, you have three compliant paths at AA:

Replace with a behavior-based alternative. Google reCAPTCHA v3, Cloudflare Turnstile, and hCaptcha Invisible score traffic invisibly — no challenge is shown to the user. Zero cognitive test, zero user friction.
Add an audio alternative. The W3C Techniques document accepts an audio CAPTCHA as an accessible alternative. It doesn’t satisfy AAA, and users can’t always hear it clearly in public, but it meets 3.3.8 AA.
Add a non-CAPTCHA alternative path. A “Sign in with email magic link instead” option routes users around the CAPTCHA entirely. For heavily bot-targeted flows, this may be better than invisible CAPTCHA because it keeps the experience explicit and understandable.

Allow paste in all password, OTP, and PIN fields — password managers depend on it.
Use autocomplete="one-time-code" on OTP inputs to enable OS-level autofill from SMS.
Offer at least one authentication path per flow that involves no cognitive test (passkey, magic link, social auth).
Apply a 3.3.8 audit to step-up auth and account recovery screens, not just the primary login.
Test authentication flows with VoiceOver/NVDA and with a password manager to confirm autofill works end to end.

Don't

Block paste in password or OTP fields, even if the security team requests it — NIST 800-63B disagrees, and 3.3.8 codifies it.
Use a cognitive CAPTCHA as the only path through authentication with no bypass or alternative.
Assume that invisible CAPTCHA (reCAPTCHA v3) is always the answer — some environments block Google services; test the fallback.
Split OTP into six separate single-character inputs without ensuring the first input triggers OS autofill for the full code.
Forget to test account recovery and re-authentication flows — they are as in-scope as the primary login.

Cognitive Load Beyond the Criterion Letter

3.3.8 sets the hard floor. Good accessible authentication design goes further by reducing cognitive load throughout the entire flow.

Error messages. When authentication fails, say why — specifically. “Incorrect password” is more useful than “Login failed.” Even better: “That email address isn’t registered — did you mean to sign up?” Specific error messages also satisfy 3.3.1 (Error Identification) and 3.3.3 (Error Suggestion), so this is a two-for-one improvement.

Session timeout warnings. Some users take longer to authenticate — due to cognitive differences, assistive technology, or slow connectivity. They should get a warning before their session expires, plus a way to extend it (SC 2.2.1, Timing Adjustable). Hard timeouts that silently discard entered data are a cognitive and usability failure.

Visible labels on all form fields. The placeholder-as-label pattern is especially harmful on authentication forms. Labels disappear as soon as the user starts typing — exactly the moment they need the reminder most. Use top-aligned, persistent visible labels. This also satisfies SC 1.3.5 (Identify Input Purpose).

Password visibility toggles. A show/hide button on the password field reduces transcription errors and the mental effort of tracking what you’ve typed. Users with cognitive disabilities benefit the most. WCAG doesn’t require it, but NIST 800-63B recommends it, and it’s a high-value, low-effort addition.

Intersection with Other WCAG 2.2 Criteria

3.3.8 rarely operates alone. Authentication screens tend to involve several criteria at once:

2.4.11 Focus Not Obscured — cookie banners and sign-in modal overlays must not hide keyboard focus on form fields.
1.3.5 Identify Input Purpose — email, password, username, and phone fields should carry the appropriate autocomplete values for assistive technology and autofill.
3.3.7 Redundant Entry — if a registration flow asks for email in step 1 and confirmation in step 2, the confirmation should auto-populate from step 1 or be skippable. (Re-entry for verification purposes is explicitly excepted.)
3.3.1 / 3.3.3 Error Identification and Suggestion — authentication error messages must identify the field and suggest a correction where possible.
1.4.3 Contrast — field labels, placeholders, and error messages must meet 4.5:1 contrast against their backgrounds. “Ghosted” placeholder text routinely fails this check.

Practical Audit Checklist

Run through this before shipping or auditing any authentication or account recovery screen:

Password fields

Paste is enabled (test manually with clipboard paste)
autocomplete="current-password" on login; autocomplete="new-password" on registration
Show/hide toggle present and keyboard accessible

OTP and 2FA fields

autocomplete="one-time-code" set on the relevant input
Paste enabled across all OTP inputs
Full code pastes in one action (not blocked by single-digit input split)

CAPTCHA and bot-detection

No cognitive CAPTCHA without an equally prominent alternative path
If using invisible CAPTCHA (reCAPTCHA v3, Turnstile), verify fallback behavior when the score is low
Audio alternative is present and functional if visual CAPTCHA cannot be removed

Error and recovery states

Error messages name the specific problem and suggest a correction
Session timeout warns with time remaining and offers extension
Account recovery path involves no unaided memory test (no security questions as sole method)

Scope check

Audit covers: primary login, registration, 2FA/MFA step, step-up auth, account recovery, re-authentication prompts