Cognitive-based authentication offers different methods or aid in completing
New in WCAG 2.2
Overview
Remembering a username and password, or identifying patterns in a CAPTCHA, can increase the cognitive effort needed to authenticate. This may especially affect people who have challenges with memory, reading, numbers, or other types of info processing. Having different ways of authenticating can help people verify their account or identity in ways that work for them.
Best Practices and Tips
Provide alternative authentication methods
Alternative methods could include:
- biometrics like facial or fingerprint recognition,
- getting a one time code sent through email or a messaging app, or
- a QR code scanned with a user's authentication app or external device.
These alternative methods should not rely on cognitive function tests (see the following Examples sub-section).
Examples of cognitive function tests
- Memorization, such as remembering a username, password, set of characters, images, or patterns.
- Transcription, such as typing in characters.
- Use of correct spelling.
- Performance of calculations.
- Solving of puzzles.
Allow the use of password managers or copy/paste
Some users may struggle with manual transcription of user names, passwords, or other info. A site auto filling a password from a password manager, or letting the user copy and paste credentials into the field, helps decrease that cognitive and physical load of manually entering passwords or codes.
Criterion Note
If a script on the webpage blocks the use of password managers or copy/pasting of credentials, that page would fail this criterion.
Examples/Patterns
Accessible Example: QR Codes
Rather than remembering an email and password combo, a person can opt to use a QR code and their mobile device to verify their account.
Accessible Example: University Accounts in Microsoft Authenticator
The authenticator entry offers a one time password code, which can be copied and pasted into pages that allow it.
It also allows the user to enable phone sign in, and use default phone authentication methods.