Understanding WCAG SC 3.3.8 – Accessible Authentication (Minimum)
A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following:
Alternative
Another authentication method that does not rely on a cognitive function test.Mechanism
A mechanism is available to assist the user in completing the cognitive function test.Object Recognition
The cognitive function test is to recognize objects.Personal Content
The cognitive function test is to identify non-text content the user provided to the Web site.
“Object recognition” and “Personal content” may be represented by images, video, or audio.
Examples of mechanisms that satisfy this criterion include:
- Support for password entry by password managers to reduce memory need, and
- Copy and paste to reduce the cognitive burden of re-typing.
The intent of this success criterion is to ensure websites and apps provide authentication methods to log in that are easy to use, accessible and secure.
To make the login or authentication process accessible, one of the following must be met:
- The authentication method does not involve any cognitive function test such as solving, recalling, or transcribing. Example: recalling username and password
- An alternative authentication method is available to log in that does not involve any cognitive function test
- A mechanism like allowing copy/paste of function of passwords, allowing the users to store passwords into the browsers or third-party password managers is available
- The authentication method involves recognizing objects that are uploaded by the users as part of CAPTCHA instead of solving a picture puzzle
- The authentication method involves identifying a personal content that is non-text and already provided by the users.
Note that this criterion does not discourage CAPTCHAs as long as there is an alternative and the CAPTCHA allows simple object recognitions. Also, this criterion stresses the need for providing more than one ‘Two-Factor-Authentication’ so that the users can choose their accessible methods such as SMS, Email or device-based authentication methods.
Points to Ponder
- Design authentication processes that are accessible and secure.
- Provide alternatives for users when a certain authentication process involves too much of a cognitive burden.
- Involve more modern and sophisticated techniques such as biometric authentications and Magic Link (A one-time link sent to a user’s email or SMS to be clicked).
- Always provide a proper name, role value, and input purpose like autocomplete attribute to username and password fields.
Related Articles
- Accessibility in Digital Security
- Captcha Accessibility or Accessibility in Captcha
- Understanding SC 3.3.8:Accessible Authentication (Minimum) (Level AA) by W3C