Cognitive-based authentication offers different methods or aid in completing

New in WCAG 2.2

Applicable Role(s): Designer, Developer


Remembering a username and password, or identifying patterns in a CAPTCHA, can increase the cognitive effort needed to authenticate. This may especially affect people who have challenges with memory, reading, numbers, or other types of info processing. Having different ways of authenticating can help people verify their account or identity in ways that work for them.

Best Practices

Provide alternative authentication methods

Alternative methods could include:

  • biometrics like facial or fingerprint recognition,
  • getting a one time code sent through email or a messaging app, or
  • a QR code scanned with a user's authentication app or external device.

These alternative methods should not rely on cognitive function tests (see the following Examples sub-section).

Examples of cognitive function tests

  • Memorization, such as remembering a username, password, set of characters, images, or patterns.
  • Transcription, such as typing in characters.
  • Use of correct spelling.
  • Performance of calculations.
  • Solving of puzzles.

Allow the use of password managers or copy/paste

Some users may struggle with manual transcription of user names, passwords, or other info. A site auto filling a password from a password manager, or letting the user copy and paste credentials into the field, helps decrease that cognitive and physical load of manually entering passwords or codes.

Criterion Note

If a script on the webpage blocks the use of password managers or copy/pasting of credentials, that page would fail this criterion.

Pattern Examples

Accessible Example: QR Codes

Rather than remembering an email and password combo, a person can opt to use a QR code and their mobile device to verify their account.

A login page starts with text fields, but offers a QR option to the right

Accessible Example: University Accounts in Microsoft Authenticator

The authenticator entry offers a one time password code, which can be copied and pasted into pages that allow it.

Microsoft authenticator shows an update that one time code is copied

It also allows the user to enable phone sign in, and use default phone authentication methods.

An authenticator account entry includes the enable phone sign-in option