WCAG 2.2 (AA) SC 3.3.8 Accessible Authentication (Minimum) (w3.org)
Issue description
WCAG 3.3.8, “Accessible Authentication (Minimum)” addresses the challenges that authentication processes, such as logging in or creating an account, can pose for users with disabilities. It aims to ensure that these processes are accessible and usable for everyone, regardless of their abilities.
Many websites have authentication processes that create barriers for users with disabilities. This can include:
- Cognitive disabilities: Users with cognitive disabilities might have difficulty remembering passwords, understanding complex instructions, or completing CAPTCHA challenges.
- Visual impairments: Users with visual impairments might struggle to see or interact with visual CAPTCHAs or understand complex layouts.
- Motor impairments: Users with motor impairments might have difficulty entering text accurately or interacting with small controls.
WCAG requirements
This guideline requires that authentication procedures can be completed without requiring cognitive function tests, such as:
- CAPTCHA: Avoid using visual CAPTCHAs that require users to identify distorted text or images.
- Time limits: Avoid imposing time limits on authentication processes, as this can create pressure and anxiety for users with cognitive disabilities.
- Complex sequences: Avoid requiring users to remember or enter complex sequences of information.
Alternative authentication methods
The guideline suggests providing alternative authentication methods that are accessible to users with disabilities, such as:
- Biometric authentication: Fingerprint scanning, facial recognition, or other biometric methods.
- Two-factor authentication with multiple options: Offer options for receiving codes via text message, email, or authenticator apps.
- Passwordless login: Use magic links or other passwordless login methods.
Benefits
- Improved accessibility: It makes authentication processes accessible to a wider range of users with disabilities.
- Reduced barriers: It removes barriers that might prevent users from accessing accounts or services.
- Enhanced user experience: It creates a more inclusive and user-friendly experience for everyone.
Essentially, this guideline promotes accessible authentication by encouraging websites to avoid cognitive function tests and provide alternative methods that are usable by people with a variety of disabilities.
Related requirements
The following WCAG source criteria are often related to this as well. They can provide additional insights into specific challenges you may be encountering.
Who this issue impacts
Follow the links for additional information on user impairments:
Suggestions for remediation
Remediating WCAG 3.3.8, “Accessible Authentication (Minimum)” involves making your authentication processes accessible to users with disabilities by avoiding cognitive function tests and providing alternative authentication methods. Here’s how:
Avoid cognitive function tests
- No CAPTCHA: Avoid using visual CAPTCHAs that require users to identify distorted text or images. These are difficult for users with visual impairments and some cognitive disabilities.
- No time limits: Avoid imposing time limits on authentication processes, as this can create pressure and anxiety for users with cognitive disabilities.
- Simplify processes: Avoid requiring users to remember or enter complex sequences of information or perform mental tasks that might be challenging for those with cognitive differences.
Provide alternative authentication methods
- Biometric authentication: Offer biometric authentication methods, such as fingerprint scanning or facial recognition, if available and appropriate for your service.
- Two-factor authentication with multiple options: Provide options for receiving two-factor authentication codes, such as:
- Text message
- Authenticator app
- Passwordless login: Consider using passwordless login methods, such as magic links sent to the user’s email address.
Make authentication usable
- Clear instructions: Provide clear and concise instructions on how to complete the authentication process.
- Accessible design: Ensure that the authentication process is accessible to users with disabilities, including those who use assistive technologies. This includes:
- Keyboard accessibility: Make sure all controls and forms in the authentication process can be operated using the keyboard.
- Screen reader compatibility: Ensure that the authentication process is compatible with screen readers and other assistive technologies.
- Sufficient color contrast: Use sufficient color contrast for all visual elements.
- Error handling: Provide clear and helpful error messages if the user enters incorrect information.
Testing
- Test with assistive technologies: Test the authentication process with screen readers and other assistive technologies to ensure it is accessible.
Examples
- Instead of a visual CAPTCHA: Use an audio CAPTCHA or a simple, accessible math problem.
- Instead of a time limit: Remove the time limit for entering authentication codes.
- Instead of requiring a complex password: Allow users to log in with their social media accounts or use a password manager.
By implementing these techniques, you can make your authentication processes more accessible and inclusive, allowing users with disabilities to easily access your website or application.
