Provide accessible authentication methods

Authentication often becomes the first hard blocker for users with cognitive, motor, low-vision, or speech-input needs. If sign-in, MFA, or recovery relies on memorization or transcription with no assisted path, the user may be locked out before they can access the product at all.

Quick Reference

• Do not block paste or password managers in login and recovery flows
• Prefer passkeys, magic links, device approval, or password-manager-friendly flows
• Support OTP autofill and paste with appropriate semantics such as autocomplete="one-time-code"
• Avoid CAPTCHA or secondary checks that require memorizing or transcribing information without an alternative

Check

Review login, MFA, password reset, and account recovery for accessible authentication problems. Flag blocked paste, password-manager hostility, manual transcription requirements, inaccessible OTP handling, and CAPTCHA or knowledge checks without a compliant alternative.

Fix

Add password-manager-friendly fields, support paste and OTP autofill, and provide at least one authentication path that does not depend on a cognitive function test.