Understanding Success Criterion 3.3.8: Accessible Authentication (No Exception)

Success Criterion 3.3.8 Accessible Authentication (No Exception) (Level AAA): For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.


This understanding document is part of the draft WCAG 2.2 content. It may change or be removed before the final WCAG 2.2 is published.


The purpose of this success criterion is to ensure there is an accessible, easy-to-use, and secure method to log in and access content. This criterion is the same as Accessible Authentication but without the exceptions for common objects and user-provided content.

The scenarios where the two exceptions might apply are authentication mechanisms which:


The benefits of this success criterion are similar to Accessible Authentication.

People with cognitive issues relating to memory, reading (e.g. dyslexia), numbers (e.g. dyscalculia), or perception-processing limitations will be able to authenticate irrespective of the level of their cognitive abilities.


The examples of this success criterion are similar to Accessible Authentication.


Each numbered item in this section represents a technique or combination of techniques that the WCAG Working Group deems sufficient for meeting this Success Criterion. However, it is not necessary to use these particular techniques. For information on using other techniques, see Understanding Techniques for WCAG Success Criteria, particularly the "Other Techniques" section.

Sufficient Techniques

  1. G218: Email link authentication
  2. @@ Providing a properly marked up email and password inputs.
  3. @@ Providing WebAuthn as an alternative to username/password.
  4. @@ Providing a 3rd party login using oAuth.
  5. @@ Using two techniques to provide 2 factor authentication.

Key Terms

cognitive function test

A task that requires the user to remember, manipulate, or transcribe information. Examples include, but are not limited to:

  • memorization, such as remembering a username, password, set of characters, images, or patterns. The common identifiers name, e-mail, and phone number are not considered cognitive function tests as they are personal to the user and consistent across websites;
  • transcription, such as typing in characters;
  • use of correct spelling;
  • performance of calculations;
  • solving of puzzles.