Level AA

Setting autocomplete="off" on a password field blocks the same password managers that would otherwise satisfy the "mechanism to assist" exception

3.3.8 Accessible Authentication (Minimum)

In Plain Language

3.3.8 Accessible Authentication (Minimum) is Level AA and new in WCAG 2.2. It says no step of an authentication process may require a cognitive function test -- remembering a password, transcribing characters, performing calculations, or solving a puzzle -- unless at least one of four exceptions applies^[1]:

Alternative authentication method that does not rely on a cognitive function test (passkey, WebAuthn, SSO, biometric).
Mechanism to assist the user in completing the test -- in practice, letting a password manager fill the credential field via autocomplete="current-password".
Object recognition -- the test is identifying objects (e.g. picking logos), not decoding text.
Personal content -- the test uses non-text content the user previously uploaded to the site.

The compliant pattern is: set proper autocomplete tokens on credential fields, do not block paste, and offer a passwordless path (passkey, magic link, or SSO) alongside the password form. 3.3.8 is distinct from 3.3.9 Accessible Authentication (Enhanced), Level AAA, which removes the "mechanism to assist" and "personal content" exceptions.

Why It Matters

The W3C definition of a cognitive function test covers memorization, transcription, correct spelling, calculation, and puzzle-solving^[1]. A standard password field meets that definition the moment the user is asked to recall characters from memory -- which is why the criterion exists at all.
Users with memory impairments, dyslexia, and other cognitive and learning disabilities rely on password managers to satisfy the "mechanism to assist" exception. Setting autocomplete="off" or attaching onpaste="return false" to a password field disables the exact assistive path 3.3.8 points at, converting an otherwise-compliant form into a failure.
Text CAPTCHAs ("type the distorted characters") and image-grid challenges ("select all squares with traffic lights") are cognitive function tests with no alternative authentication path. They fail 3.3.8 directly.
Passkeys, WebAuthn, and SSO flows authenticate against a device credential or identity provider, not a memorized string. They satisfy the "alternative authentication method" exception without any user transcription or recall.

Examples

Do: Allow password manager auto-fill

Sign In

EmailPassword

✔ Fields support autocomplete -- password manager can fill credentials

<label for="email">Email</label>
<input id="email" type="email"
  autocomplete="username">

<label for="pw">Password</label>
<input id="pw" type="password"
  autocomplete="current-password">
<!-- autocomplete attributes let password managers
     fill credentials automatically -->

Don't: Block paste and autocomplete on password fields

Sign In

EmailPassword

✘ autocomplete='off' and paste blocked -- password managers cannot help

<!-- FAILS: blocks assistive credential filling -->
<label for="email">Email</label>
<input id="email" type="email"
  autocomplete="off">

<label for="pw">Password</label>
<input id="pw" type="password"
  autocomplete="off"
  onpaste="return false">
<!-- autocomplete="off" and onpaste block prevent
     password managers from filling credentials -->

Do: Offer a passwordless alternative

Sign In

✔ Multiple methods available -- no cognitive test required for passkey or email link

<button>Sign in with Passkey</button>
<p>or</p>
<button>Sign in with Email Link</button>
<p>or</p>
<button>Sign in with Password</button>
<!-- Passkey and email link options do not require
     any cognitive function test to complete -->

Don't: Require a CAPTCHA with no accessible alternative

Sign In

Password

x7Kp2m

Type the text above

✘ Text CAPTCHA is a cognitive function test with no alternative method

<!-- FAILS: cognitive test with no alternative -->
<label for="pw">Password</label>
<input id="pw" type="password">

<div class="captcha">x7Kp2m</div>
<label for="captcha">Type the text above</label>
<input id="captcha">
<!-- Text transcription CAPTCHA requires cognitive
     ability to decode distorted text, with no
     alternative authentication path -->

How to Fix It

Set the right autocomplete tokens and stop blocking paste. Use autocomplete="username" on the email/username field, autocomplete="current-password" on the sign-in password field, and autocomplete="new-password" on the registration/reset field. Remove any onpaste="return false", oncopy, or oncontextmenu handlers on credential inputs -- each of these cuts off the "mechanism to assist" exception that makes a password-based login compliant at all^[1].
Offer a cognitive-test-free alternative. Passkeys (WebAuthn), SSO via an identity provider, and email magic links all authenticate without requiring the user to recall, transcribe, or solve anything. Any one of them satisfies the "alternative authentication method" exception independent of how the password form is built.
Replace text and image CAPTCHAs with server-side bot detection. Distorted-text transcription and "select all images with a bus" grids are cognitive function tests with no alternative path -- they fail 3.3.8 on their own. Replace them with invisible signals: honeypot fields, behavioral heuristics, or a reCAPTCHA v3-style risk score that never shows a challenge. Object-recognition challenges (e.g. identifying a logo the user already knows) fall under the object recognition exception, but "pick the traffic lights" is a perception and classification task, not simple object recognition, and should not be relied on.
Let one-time codes be pasted. SMS and email OTP flows are transcription tasks the instant the user is asked to type the code. Use autocomplete="one-time-code" on the input so platform autofill can deliver the code directly, and do not block paste on that field.
Verify with a real password manager. Load the sign-in form with a browser-built-in manager and at least one external manager, and confirm the username and password fields are detected and filled. A form that scores clean on attribute checks but silently defeats autofill (for example, by re-rendering the input on focus) still fails the criterion in practice.

References

[1] W3C (2023). Understanding Success Criterion 3.3.8: Accessible Authentication (Minimum). W3C, Accessed 2026-04-07. https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum.html ↩ ↩ ↩