‘Accessible Authentication (Enhanced)’ must avoid authenticating users through memory, transcription or cognitive tests.


Although it can be important to authenticate users, those with cognitive impairments may have difficulty with remembering passwords or typing in one-time codes.

Some users will be unable to recall a password or series of gestures to access their accounts and require help or alternative means to authenticate.

This builds on Accessible Authentication by removing the exceptions around identify objects or non-text content the user had provided.

How to Pass ‘Accessible Authentication (Enhanced)’

If you are authenticating a user, avoid:

  • asking for a memorised password; and
  • requiring them to type in certain characters; and
  • making the solve any kind of puzzle, calculation or test.


You can ask a user to complete a cognitive test if you also provide:

  • an alternative authentication method that doesn’t require a test; or
  • help for the user in completing the test.

‘Accessible Authentication (Enhanced)’ Tips

Where you use multi-factor authentication, each stage of the process must comply.

Password recovery processes must also meet this guideline.

Personal information such as an email address or phone number is fine to use, as this is consistent across all website and unique to the user.

Supporting password autofill and password managers is providing help.

Further help could be allowing copy and paste into password fields to reduce re-typing.

Enable users to toggle hidden characters on and off, for example when typing in a password.

Avoid asking for certain characters from a password as this means the user cannot use copy and paste.

You can send an authentication link to a user and skip the need for passwords.

See Also

About Author

I'm Luke, I started Wuhcag in 2012 to help people like you get to grips with web accessibility. Check out my book, 'How to Meet the WCAG 2.0'.

Leave Comment