Failure of Success Criterion 3.3.8 and 3.3.9 due to preventing password or code re-entry in the same format

When to Use

All technologies that require authentication.

Description

Requiring users to authenticate by entering a password or code in a different format from which it was originally created is a failure to meet Success Criteria 3.3.8 and 3.3.9 (unless alternative authentication methods are available). The string to be entered could include a password, verification code, or any string of characters the user has to remember or record to authenticate.

If a user is required to enter individual characters across multiple fields in a way that prevents pasting the password in a single action, it prevents use of a password manager or pasting from local copy of the password. This means users cannot avoid transcription, resulting in a cognitive function test. This applies irrespective of whether users are required to enter all characters in the string, or just a subset.

Examples

These examples would prevent a user from entering a password or code in the same format in which it was originally created:

• A fieldset that prompts a user to "Enter the 2nd, 6th and last characters of your password", with separate input fields for each character.
• A fieldset that prompts a user to enter each digit of a verification code in a separate input (unless the user can paste the entire code in the first input, and the remaining inputs are populated automatically).
• A password input fieldset composed of <select> elements that requires a user to select each character of a fixed-length password from individual dropdown fields.

Tests

Related Techniques

Resources