Understanding Success Criterion 3.3.7: Accessible Authentication

Success Criterion 3.3.7 Accessible Authentication (Level A): For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.

Note: Examples of mechanisms include: 1) support for password entry by password managers to address the memorization cognitive function test, and 2) copy and paste to help address transcription cognitive function test.

Status

This understanding document is part of the draft WCAG 2.2 content. It may change or be removed before the final WCAG 2.2 is published.

Intent

The purpose of this success criterion is to ensure there is an accessible, easy-to-use, and secure method to log in and access content. Most web sites rely on usernames and passwords for logging in. Memorizing a username and password (or transcribing it manually) places a very high or impossible burden upon people with certain cognitive disabilities.

Remembering a password is a cognitive function test. Such tests are known to be problematic for many people with cognitive disabilities. Whether it is remembering random strings of characters, a pattern gesture to perform on a touch screen, or identifying which images include a particular object, cognitive function tests will exclude some people. When a cognitive function test is used, at least one other authentication method must be available which is not a cognitive function test.

Note

Web sites can employ username (or email) and password inputs as an authentication method if it is properly marked-up and does not block copy-paste functionality. If the login form meets Success Criterion 1.3.5 Input Purpose, Success Criterion 1.3.1: Info and Relationships, and does not block copy-paste then browser features or password managers can save the user’s information and refill the login.

If there is more than one step in the authentication process, such as with multi-factor authentication, all steps should comply with this success criterion. There should be a path through authentication that does not rely on cognitive function tests.

Being able to recover or change the email and password is an important part of authentication. If the user is authenticating with alternative information in order to recover their account, there needs to be a method that is not a cognitive function test.

Copy and paste can be relied on to avoid transcription. Examples of this are password managers automatically filling in username and passwords, or web-based command line interfaces asking for a password that can be copied from a local source. Blocking people or programs from pasting into authentication fields, or using a different format between the copied text and the input field, would force the user to transcribe information and therefore fail this criterion.

Benefits

People with cognitive issues relating to memory, reading (e.g. dyslexia), numbers (e.g. dyscalculia), or perception-processing limitations will be able to authenticate irrespective of the level of their cognitive abilities.

Examples

Related Resources

Resources are for information purposes only, no endorsement implied.

Techniques

Each numbered item in this section represents a technique or combination of techniques that the WCAG Working Group deems sufficient for meeting this Success Criterion. However, it is not necessary to use these particular techniques. For information on using other techniques, see Understanding Techniques for WCAG Success Criteria, particularly the "Other Techniques" section.

Sufficient Techniques

  1. G218: Email link authentication
  2. @@ Providing a properly marked up email and password inputs.
  3. @@ Providing WebAuthn as an alternative to username/password.
  4. @@ Providing a 3rd party login using oAuth.
  5. @@ Using two techniques to provide 2 factor authentication.

Key Terms

cognitive function test

A task that requires the user to remember, manipulate, or transcribe information. Examples include, but are not limited to:

  • memorization, such as remembering a username, password, set of characters, images, or patterns. The common identifiers name, e-mail, and phone number are not considered cognitive function tests as they are personal to the user and consistent across websites;
  • transcription, such as typing in characters;
  • use of correct spelling;
  • performance of calculations;
  • solving of puzzles.