Accessible Authentication (Minimum)
Authentication processes must not depend on cognitive function tests (memorizing characters, transcribing puzzles) without an alternative.
What it requires
Logging in by typing a memorized password is a cognitive function test. WCAG 2.2 SC 3.3.8 requires that a working alternative exist — typically a copy-paste-friendly password input, browser autofill compatibility, or an alternative authentication method (passkey, magic link, OAuth).
CAPTCHA and "type the characters in this image" puzzles are also cognitive function tests. Sites must provide an accessible alternative (audio CAPTCHA, no-CAPTCHA reCAPTCHA, or an entirely different verification method).
Common Shopify failure
Customer-account login form blocks paste on the password field. Custom signup flow with image-CAPTCHA and no audio alternative.
How to fix it
Remove `onpaste="return false"` and `autocomplete="off"` on password fields. Replace image CAPTCHA with reCAPTCHA v3 or hCaptcha (which include audio).
Primary source: W3C — WCAG 2.2 Understanding 3.3.8