Understanding WCAG SC 3.3.8 Accessible Authentication (Minimum)
Version and Level: 2.2 (Level AA)

This success criterion requires that authentication processes must not rely solely on cognitive function tests, such as remembering passwords or solving puzzles, unless they provide at least one of the following:

Alternative: An alternative authentication method that does not rely on a cognitive function test.

Mechanism: A mechanism available to assist the user in completing the cognitive function test.

Object Recognition: the cognitive function test involves recognizing objects.

Personal Content: the cognitive function test involves identifying non-text content provided by the user to the website.

The aim is to make authentication processes accessible, reducing the cognitive load and ensuring security.

Benefits:

  1. Reduced Cognitive Load: Simplifies authentication processes for users who have difficulty remembering complex passwords or solving puzzles.
  2. Inclusive Access: Ensures users with cognitive disabilities or memory impairments can authenticate without barriers.
  3. Enhanced Usability for Assistive Technology Users: Facilitates easier login for users relying on screen readers or speech input, who may find traditional methods challenging.
  4. Improved User Retention: Users are less likely to abandon a site due to difficult login processes, leading to better user retention and satisfaction.
  5. Increased Security: Minimizes errors and security risks associated with forgotten passwords or mistyped inputs by providing alternative authentication methods.

Main Objective:

To ensure that authentication processes are accessible to all users, it is crucial to provide alternatives to cognitive function tests and mechanisms to assist users when needed. Users with cognitive disabilities may face challenges with tasks such as remembering passwords, puzzles, or memory tasks. Therefore, it is mandatory to offer at least one of the following methods for authentication:

Alternative Methods: Alternative ways to enter a password could include entering the user's email address, where the application sends a login link for account access ( the user will be logged automatically once the link is clicked ). Another option could be using facial recognition apps.

Mechanism: Mechanisms should be designed to accommodate users who store passwords in secure locations. For example, websites should allow unrestricted copy-paste functionality into password fields to facilitate this process, ensuring it is not hindered by scripts or other restrictions. Meeting WCAG Success Criterion 1.3.5 (Input Purpose) and 4.1.2 (Name, Role, Value) is essential. Providing Accessible Names to fields and utilizing autocomplete attributes for stored information can significantly enhance accessibility and user experience. Since some users rely on extensions or storage to manage their passwords and usernames, meeting the above success criteria enables automatic filling of fields.

Object Recognition: Object Recognition should be prioritized, especially in CAPTCHA scenarios, to offer an image-based alternative that does not only rely on users' ability to process text or solve mathematical problems. For example, users might identify specific images like animals or objects to verify their identity.

Personal Content: Some websites and applications, particularly workplaces, allow users to upload documents. During authentication, users may need to select an item from several options that corresponds to a previously uploaded item. This process typically involves choosing a specific image. Using images instead of text is crucial to avoid creating cognitive barriers for users.

Best Practices:

  • Provide Alternative Methods: Offer authentication methods that do not rely on cognitive function tests, such as links, and face recognition.

  • Allow Assistive Mechanisms: Support password managers and copy-paste functionality to reduce cognitive load.

  • Use Object Recognition: Implement authentication methods that rely on recognizing objects or personal content provided by the user.

  • Ensure Flexibility: Provide multiple authentication options, such as SMS, email, or device-based authentication, to accommodate different user needs. In these scenarios, enable copy-paste functionality to eliminate the need to remember the sent code, enhancing user convenience and accessibility.

  • Enhance Usability: Ensure input fields for usernames and passwords have appropriate autocomplete attributes and are clearly labeled.

Examples & Explanation:

Example: Email Mechanism for Login

What Should Be Avoided

A social media website only allows users to log in by remembering and entering a complex password, with no alternatives or assistive mechanisms. Users must recall and type a complex password each time they log in, which can be challenging for those with cognitive impairments or memory issues. The copy-paste option is not available and is blocked by a script written by the author.

Explanation:This approach places a high cognitive load on users, making it difficult for them to authenticate and access their accounts.

What Should Be Done

The social media website provides an alternative login method. Alongside the standard username and password fields, there is an option to log in via email. When the user selects this option and enters their email address, the site sends a one-time login link to the user's email. Clicking the link logs the user into their account without needing to remember or type a password.

Explanation: This method reduces the cognitive burden by allowing users to authenticate through a simple action—clicking a link in their email. It ensures that users with cognitive impairments or memory issues can access their accounts easily and securely.

Next Up

Enhance your understanding with SC 4.1.1 - Parsing (Deprecated). Learn about parsing requirements for all users.

Go to SC 4.1.1