WCAG 2.2. Success Criterion 3.3.8, Accessible Authentication Level AA and AAA – A Summary

The WCAG 2.2. Success Criterion 3.3.8 aims to create an accessible, user-friendly, and secure login method. Many websites use usernames and passwords for authentication, but memorizing this information poses a challenge for individuals with certain memory, attention, problem-solving, and language skills impairments.

Memory and pattern-related cognitive function tests

Having to remember a set of random characters or perform pattern-related gestures on touch screens can exclude certain users. Therefore, when employing such tests, an alternative authentication method should be made available – otherwise, Success Criteria 3.3.8 will not be satisfied. When the authentication process is multi-step, all steps must comply.

Account recovery authentication

If alternative information is used for account recovery, other than email and password or over and above email and password, an accessible test method must be available, i.e., a way that does not require memory, attention, problem-solving, and language skills. Similarly, if knowledge-based authentication involves these types of tests, user assistance must be made available.

Users should be able to complete device-based authentication actions without having to rewrite text from one place to another.

Authentication Approaches

Websites can utilize username (or email) and password inputs for authentication, allowing user agents to automatically fill in fields. Blocking user agents from this function would be considered a failure to meet this criterion.

Copy and Paste

Preventing pasting into authentication fields would constitute a failure unless an alternative method is available. Being able to copy and paste is regarded as a valid and accessible part of an authentication test.

Two-Factor Authentication Systems (Verification Codes)

Beyond usernames and passwords, sites may use two-factor authentication, requiring a verification code. As long as users can copy and paste the codes or allow user agents to automatically fill them in, that is regarded as a pass of this success criteria.

Object Recognition

CAPTCHAs used in authentication should provide a method without cognitive function tests unless meeting specific exceptions. Recognizing objects or user-provided pictures falls under cognitive function tests but is excepted at the AA level.

Personal Content

Using personal content as a secondary authentication factor is common practice. For instance, during account setup, users might upload a picture, which they are later prompted to identify from a set of options when logging in. It’s crucial to prioritize security in such scenarios to prevent unauthorized users from guessing the correct personal content when given choices.

Note that text-based personal content doesn’t meet this exception. Unlike picture-based authentication, which relies on recognition, text-based methods rely on recall and transcription. While both may present barriers to some users, text-based approaches tend to pose a larger obstacle.

Hiding Characters

Another element that can make it harder for users is when characters are concealed during typing. While this criterion mandates that users shouldn’t have to manually input (transcribe) a password, certain situations necessitate it, such as when creating a password to be stored by a password manager. Offering an option to display a password enhances success rates for individuals with cognitive disabilities or those who struggle to type accurately.

Take my Web Accessibility Online Training Course - WCAG 2.1 Compliance

Learn to design and manage WCAG compliant, accessible websites with my online course

You will learn both the techniques of accessible website design and an entire ‘framework for thinking about the subject’. It will equip you with the skills to understand, identify and fix issues any accessibility issues you come across. Watch the free videos to get a taste of what is on the course.