Skip to content

Technique F109:Failure of Success Criterion 3.3.8 and 3.3.9 due to preventing password or code re-entry in the same format

About this Technique


All technologies that require authentication.

This technique relates to:


Requiring users to authenticate by entering a password or code in a different format from which it was originally created is a failure to meet Success Criteria 3.3.8 and 3.3.9 (unless alternative authentication methods are available). The string to be entered could include a password, verification code, or any string of characters the user has to remember or record to authenticate.

If a user is required to enter individual characters across multiple fields in a way that prevents pasting the password in a single action, it prevents use of a password manager or pasting from local copy of the password. This means users cannot avoid transcription, resulting in a cognitive function test. This applies irrespective of whether users are required to enter all characters in the string, or just a subset.


These examples would prevent a user from entering a password or code in the same format in which it was originally created:

  • A fieldset that prompts a user to "Enter the 2nd, 6th and last characters of your password", with separate input fields for each character.
  • A fieldset that prompts a user to enter each digit of a verification code in a separate input (unless the user can paste the entire code in the first input, and the remaining inputs are populated automatically).
  • A password input fieldset composed of <select> elements that requires a user to select each character of a fixed-length password from individual dropdown fields.



For each form field which accepts password or code entry:

  1. Check if the structure of the input field(s) prevents the user from pasting or auto-filling the entire password or code in the format in which it was originally created.
  2. Confirm that no other acceptable authentication methods are present that satisfy Success Criteria 3.3.8 or 3.3.9 (such as an authentication method that does not rely on a cognitive function test).

Expected Results

  • If steps #1 and #2 are true, then this failure condition applies and content fails the Success Criterion.
Back to Top