WCAG 3.3.8 — Accessible Authentication (Minimum)

What this requires

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process, unless that step provides at least one of:

Alternative: an alternative method that doesn't rely on a cognitive function test.
Mechanism: a mechanism to assist the user in completing the test (a password manager, copy-paste).
Object recognition: the test relies on recognising objects (which is exempt).
Personal content: the test relies on identifying non-text content the user provided to the site (a profile photo).

How AI coding tools fail this

When asked to "improve security with image-based CAPTCHA" or "add a math puzzle to the login", AI tools wire up cognitive function tests that fail this criterion. Users with cognitive disabilities are locked out; the rest are slowed down.

The second pattern: CAPTCHA implementations that disable paste, so password managers can't fill them. The "mechanism to assist" path breaks; the alternative path doesn't exist either.

The third: passwordless auth that doesn't actually replace the password — it sits alongside, and the password path is required for password resets, account recovery, or session re-confirmation.

Failing examples

A login form that disables paste to prevent password-manager use:

<input
  type="password"
  onPaste={(e) => e.preventDefault()}
/>

A puzzle CAPTCHA with no alternative:

<PuzzleCaptcha onSolved={proceed} />

Passing examples

Allow password manager input and offer a passwordless alternative:

<form action={signIn}>
  <label htmlFor="email">Email</label>
  <input id="email" type="email" autoComplete="username" />
  <label htmlFor="password">Password</label>
  <input id="password" type="password" autoComplete="current-password" />
  <button type="submit">Sign in</button>

  <a href="/signin/magic-link">
    Sign in with a magic link emailed to you
  </a>
  <a href="/signin/passkey">
    Sign in with a passkey
  </a>
</form>

A CAPTCHA with an audio alternative and no paste restrictions:

<Captcha
  challenges={["visual", "audio", "no-challenge-if-trusted"]}
/>

Edge cases

Passkeys and WebAuthn are the gold standard — they replace the cognitive test entirely.
Magic-link email auth is another good alternative.
Password managers are the "mechanism to assist". Allowing paste is the most important single thing.
Object recognition ("pick the photos with traffic lights") is technically exempt, but visual CAPTCHA still blocks blind users unless an audio alternative is provided.
3.3.8 vs 3.3.9: 3.3.8 (AA) allows alternatives and mechanisms; 3.3.9 (AAA) bans cognitive function tests outright.

How Jeikin handles this

The scanner flags login fields with onPaste preventDefault handlers, custom CAPTCHA implementations, and password fields without autocomplete="current-password". The dashboard records each finding and tracks the move to manager-friendly, alternative-bearing auth.

References

W3C — Understanding 3.3.8 Accessible Authentication (Minimum) (opens in new tab)