Skip to content

3.3.8

Jump to bottom
Andrew Hick edited this page Oct 16, 2024 · 4 revisions

3.3.8 Accessible Authentication (Minimum)

WCAG says:

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following:

Alternative: Another authentication method that does not rely on a cognitive function test.
Mechanism: A mechanism is available to assist the user in completing the cognitive function test.
Object Recognition: The cognitive function test is to recognize objects.
Personal Content: The cognitive function test is to identify non-text content the user provided to the website.

Note: "Object recognition" and "Personal content" may be represented by images, video, or audio.

Note: Examples of mechanisms that satisfy this criterion include:

support for password entry by password managers to reduce memory need, and
copy and paste to reduce the cognitive burden of re-typing.

When this is applicable

When there is a sign in process.

Check sign in processes

This success criterion relates to signing in, not creating an account or proving that you're human.

Check there are no steps in a sign in process that require a cognitive test.

Examples of cognitive tests are:

  • memorising a username, password, set of characters, image or pattern
  • transcription, such as typing in characters
  • spelling or calculation tests
  • solving puzzles

It's a pass if there are cognitive tests and one or more of the following are true:

  • the cognitive test only requires a user to memorise their name, email or phone number
  • there is an alternative that does not require a cognitive test
  • there is a help mechanism available for the user to complete the test
  • the test relies on recognising physical objects
  • the test relies on recognising images, video or audio that the user has provided

Exceptions

It's not a fail if:

  • authentication is done via email links
  • sign in forms allow text to be pasted, either manually or via a password manager, including two factor authentication codes
  • authentication methods allow sign in through a third-party account provider like Google or Apple
  • there are alternative techniques that do not require cognitive tests such as:
    • an option to scan a QR code
    • pressing a button on an external device to activate a time-based token
    • using a device's authentication mechanism, such as a fingerprint

Testing how a user gets an authentication code from a secondary device is out of scope.

Best practice

  • Recognising an object should not rely on things that look different in different regions, for example the colour of a taxi, bus or postbox.
  • Recognition of objects or user-provided data should not be required at all, as it will be inaccessible to some people. This is a requirement under level AAA; see W3C's 'Understanding 3.3.9 Accessible Authentication (Enhanced) (Level AAA)'.
  • Authentication should not rely on copying information from one device to another.
  • There should be no time limit on authenticating.

Mobile app testing

No difference

Clone this wiki locally