216digital.
Web Accessibility

ADA Risk Mitigation
Prevent and Respond to ADA Lawsuits

WCAG & Section 508
Conform with Local and International Requirements

a11y.Radar
Ongoing Monitoring and Maintenance

Consultation & Training

Is Your Website Vulnerable to Frivolous Lawsuits?
Get a Free Web Accessibility Audit to Learn Where You Stand
Find Out Today!

Web Design & Development

Marketing

PPC Management
Google & Social Media Ads

Professional SEO
Increase Organic Search Strength

Interested in Marketing?
Speak to an Expert about marketing opportunities for your brand to cultivate support and growth online.
Contact Us

About

Blog

Contact Us

  • WCAG 3.3.8: Rethinking Passwords, Codes, and CAPTCHAs

    The main login form usually isn’t the problem. It’s everything around it. The retry loop. The MFA branch that forces you to read a code on one device and type it into another. The recovery step that adds a challenge after you’re already stuck. That’s also where “hardening” changes tend to hide—paste blocked, autocomplete disabled, segmented OTP inputs that fight autofill.

    If you’ve ever been locked in a loop because you mistyped once, you already know how quickly “secure” turns into “unusable.” For some users that’s just irritating. For others—people dealing with memory limitations, dyslexia, ADHD, anxiety, or plain cognitive overload—it’s the point where access ends. WCAG 3.3.8 is essentially asking for one thing: don’t make recall or manual re-entry the only route through authentication.

    What WCAG 3.3.8 Actually Requires for Accessible Authentication

    WCAG 3.3.8 Accessible Authentication (Minimum) is easy to misread as “no passwords” or “no MFA.” It’s neither. It’s about whether the user has a path through authentication that does not depend on a cognitive function test. WCAG 3.3.8 focuses on removing authentication steps that rely on memory, transcription, or puzzle-solving when no accessible alternative exists. In practice, you cannot make “remember this” or “retype this” the gate unless you also provide a supported alternative or a mechanism that reduces the cognitive burden.

    What Counts as a Cognitive Function Test in Authentication

    A cognitive function test includes anything that requires the user to remember, transcribe, or solve something in order to log in. That includes remembering site-specific passwords, typing codes from one device into another, or solving distorted text in a CAPTCHA.

    Allowable Alternatives Under WCAG 3.3.8

    Under WCAG 3.3.8, a cognitive function test cannot be required at any step in an authentication process unless the page provides at least one of these options:

    • An alternative authentication method that does not rely on a cognitive function test
    • A mechanism that assists the user, such as password managers or copy and paste
    • A test based on object recognition
    • A test based on personal non-text content that the user previously provided

    Object recognition and personal content are exceptions at Level AA, yet they are still not ideal for many users with cognitive or perceptual disabilities. From an inclusion standpoint, it is better to avoid them when a simpler option exists, such as letting the browser fill in credentials or using passkeys.

    This applies to authenticating an existing account and to steps like multi-factor authentication and recovery. It does not formally cover sign-up, although the same patterns usually help there too.

    Cognitive Function Tests Hiding in Authentication Flows

    Most 3.3.8 issues don’t show up on the main login screen. They show up in the surrounding steps: the retry loop after a failed password, the MFA prompt, the recovery flow, or the extra verification that triggers when traffic looks unusual. When you walk through those paths end-to-end, you can see where memory or transcription slips back in.

    Memory-Based Authentication Pressure Points

    Asking users to recall a username, password, or passphrase without any assistive mechanism is a cognitive function test. Security questions like “What street did you grow up on” or “What was your first pet’s name” add even more recall pressure, often years after someone created the answers.

    Transcription-Based Authentication Pressure Points

    Many authentication flows expect people to read a one-time passcode from SMS or an authenticator app and then type it into a separate field. This becomes even harder when paste is blocked or when the code lives on a different device, and the user must move between them.

    Puzzle-Style Pressure Points and CAPTCHA

    Traditional CAPTCHAs that rely on distorted text, fine detail image selection, or audio that must be transcribed all require perception, memory, and focus under time pressure.

    If a CAPTCHA or extra test appears only after multiple failures or “suspicious” activity, it still has to comply with the success criterion.

    Fast WCAG 3.3.8 Wins With Password Managers and Paste

    Start with the stuff that breaks the widest range of users and is easiest to fix. If a password manager can’t reliably fill the form, or paste is blocked in password or code fields, the flow forces recall and transcription. That’s exactly what WCAG 3.3.8 is trying to remove.

    Implementation Details That Improve Accessible Authentication

    Allowing password managers to store and fill credentials removes the need for users to remember complex passwords. Allowing paste lets people move secure values from a password manager, secure notes, or another trusted source into the login form without retyping.

    Here’s what tends to matter in real implementations:

    • Use clear labels and proper input types so browsers and password managers can correctly identify login fields.
    • Avoid autocomplete="off" on username and password fields.
    • Do not attach scripts that block paste or interfere with autofill.

    A basic compliant login form can look like this:

    <form action="/login" method="post">
 <label for="username">Email</label>
 <input id="username" name="username" type="email"
        autocomplete="username" required>

 <label for="password">Password</label>
 <input id="password" name="password" type="password"
        autocomplete="current-password" required>

 <button type="submit">Log in</button>
 <a href="/forgot-password">Forgot password?</a>
</form>

    A show password toggle is also helpful. It lets users check what they have typed without guessing, which reduces errors for people who struggle with working memory or fine motor control.

    From a security standpoint, allowing paste and password managers aligns with modern guidance. Strong, unique passwords managed by tooling are safer than short patterns that people try to remember across dozens of sites.

    Offering Authentication Paths That Reduce Cognitive Load

    Even with perfect autofill support, passwords are still a brittle dependency. WCAG 3.3.8 expects at least one route that doesn’t ask the user to remember or retype a secret. Passwordless options are the cleanest way to do that without playing whack-a-mole with edge cases.

    Magic Links by Email

    Users enter an email address and receive a time-limited, single-use link. Clicking that link completes authentication. Done well, this path removes passwords and codes entirely.

    Third-Party Sign In

    Signing in with an existing account from a trusted provider can also reduce cognitive load when the external account is already configured for accessible authentication. It shifts the cognitive work away from your login page, so you must still consider whether the rest of your flow remains usable.

    When you implement these methods, keep security fundamentals in place. Tokens should be single-use, expire after a reasonable window, and be protected by sensible rate limits. You can keep a strong security posture without making users memorize or transcribe extra values.

    Passkeys and WebAuthn as an Accessible Authentication Pattern

    Passkeys are one of the rare shifts where security and cognitive accessibility improve together. No remembered secrets. No code transcription. Authentication becomes a device interaction, which lines up cleanly with what WCAG 3.3.8 is trying to achieve.

    Why Passkeys Align Well With WCAG 3.3.8

    Passkeys based on WebAuthn use public key cryptography tied to the user’s device. Users confirm through a fingerprint, face recognition, device PIN, or a hardware key. They do not have to remember strings or retype codes, which removes a large source of cognitive effort.

    A simplified client example might look like this:

    const cred = await navigator.credentials.get({ publicKey });

await fetch("/auth/webauthn/verify", {
 method: "POST",
 headers: { "Content-Type": "application/json" },
 body: JSON.stringify(cred),
});

    Design your interface so people can choose the method that works best for them. Do not force a single modality. Some users will prefer biometrics, others a hardware key, others a platform prompt. Always keep an accessible fallback available in case a device method fails.

    Rethinking MFA Without Creating New WCAG 3.3.8 Barriers

    MFA is where a lot of otherwise compliant logins fail. The password step might be fine, then the second factor turns into a transcription test. If the only available MFA path is “read six digits and type them,” you don’t actually have a low cognitive route through authentication under WCAG 3.3.8.

    MFA Patterns That Avoid Cognitive Barriers

    • Push notifications that allow the user to approve a sign-in with a simple action.
    • Hardware security keys that require a button press instead of code entry.
    • Device prompts that rely on the operating system’s secure authentication methods.

    If OTP is staying, the bar is simple. Make it fillable and pasteable, and don’t punish slower entry.

    • Allow paste and platform autofill for OTP fields.
    • Avoid very short expiration windows that penalize slower users.
    • Be careful with multi-input digit fields and ensure they support pasting a full code.

    A basic single-field OTP input can look like this:

    <label for="otp">Verification code</label>
<input id="otp" name="otp"
      inputmode="numeric"
      autocomplete="one-time-code">

    This keeps the security benefit of MFA without turning the second factor into a failure point.

    CAPTCHA and Bot Protection Without Cognitive Puzzles

    CAPTCHAs often get introduced after a login endpoint gets abused. The default implementations are usually cognitive tests, and they tend to appear when the user is already in a retry loop or being flagged as suspicious. That is a bad time to add a puzzle.

    Bot-Mitigation Patterns That Don’t Burden the User

    Object recognition and personal content challenges may technically meet Level AA, but they still exclude many users and should not be your first choice. A better strategy is to move bot checks out of the user’s direct path whenever possible.

    Prefer controls that don’t ask the user to prove they’re human:

    • Rate-limiting login attempts.
    • Device or geo-based risk checks.
    • Invisible CAPTCHA that runs in the background.
    • Honeypot inputs that automated scripts are likely to fill.

    For example, a simple honeypot field can look like this:

    <div style="position:absolute;left:-9999px" aria-hidden="true">
 <label for="website">Website leave blank</label>
 <input id="website" name="website" tabindex="-1" autocomplete="off">
</div>

    If the backend treats any non-empty value as a bot signal, most automated scripts are filtered without showing users a challenge at all.

    Testing Authentication Journeys Against WCAG 3.3.8

    You can’t validate WCAG 3.3.8 from markup alone. You need to run the flow the way users actually run it, including autofill, paste, and OS prompts. Then you need to intentionally trigger the “extra verification” paths because that’s where most failures live.

    Manual Tests That Matter for Accessible Authentication

    • Log in with a browser password manager and a popular third-party password manager.
    • Confirm that paste works in username, password, and OTP inputs.
    • Trigger retry flows, lockouts, and “suspicious” paths and check for hidden CAPTCHAs or extra steps.
    • Walk through every MFA route and confirm that at least one complete path avoids unsupported cognitive tests.

    Automated Checks for the Supporting Code

    Automation still helps as a tripwire, just not as the final verdict. Custom checks can flag:

    • Inputs with autocomplete="off" where credentials belong
    • Password and OTP fields that attach paste blocking handlers
    • Known CAPTCHA patterns that appear in authentication contexts

    The target is not “no friction.” The target is “no cognitive gate without a supported way through it.”

    Improving Login Usability Through WCAG 3.3.8

    WCAG 3.3.8 is much easier to handle when you treat authentication as a system, not a single screen. Most barriers show up in the supporting paths, not the main form. Once those routes are mapped and cleaned up, keeping at least one low-cognitive path end to end stops feeling like extra work and starts feeling like a more stable design pattern. You still keep strong security, but you drop the steps that slow users down or lock them out.

    If you want help threading accessible authentication and broader WCAG 2.2 requirements into your existing roadmap, 216digital can support that process. To see what that could look like for your team, you can schedule a complementary ADA Strategy Briefing.

    Greg McNeil

    January 14, 2026
    How-to Guides
    Accessibility, How-to, WCAG, WCAG 3.3.8, WCAG Compliance, WCAG conformance, web developers, web development, Website Accessibility

Find Out if Your Website is WCAG & ADA Compliant







    216digital Logo

    Our team is full of expert professionals in Web Accessibility Remediation, eCommerce Design & Development, and Marketing – ready to help you reach your goals and thrive in a competitive marketplace. 

    216 Digital, Inc. BBB Business Review

    Get in Touch

    2208 E Enterprise Pkwy
    Twinsburg, OH 44087
    216.505.4400
    info@216digital.com

    Support

    Support Desk
    Acceptable Use Policy
    Accessibility Policy
    Privacy Policy

    Web Accessibility

    Settlement & Risk Mitigation
    WCAG 2.1/2.2 AA Compliance
    Monitoring Service by a11y.Radar

    Development & Marketing

    eCommerce Development
    PPC Marketing
    Professional SEO

    About

    About Us
    Contact

    Copyright 2024 216digital. All Rights Reserved.