Authentication requires a non-exempted cognitive function test

Rule

Authentication processes MUST NOT rely on cognitive function tests UNLESS a mechanism is available to assist the user in completing the cognitive function test. Exception: When the cognitive function test is to recognize common objects or content the user provided to the website.

Background

When an authentication process relies on a person’s ability to perform a cognitive task (such as memorizing a password, transcribing numbers, solving a puzzle, answering questions) it places a burden upon people with certain cognitive disabilities. Instead, authentication processes should provide authentication alternatives that don’t require a cognitive task such as: supporting the use of password managers or two-factor authentication that doesn’t require retyping numbers. This will greatly reduce barriers to authentication.

How to Fix

Fix this issue by ensuring that no step in the authentication process relies only on the completion of a cognitive function test without a mechanism to assist the user in completing the cognitive function test.