Accessible Authentication Accessibility Ticket Example
Accessible authentication tickets need to name the blocked sign-in task, the exact barrier, and the acceptable alternatives. "CAPTCHA issue" is too vague for a developer backlog.
Use this example for WCAG 2.2 findings involving puzzle-only challenges, blocked password managers, disabled paste, one-time-code friction, repeated entry, or login recovery flows that depend on memory and transcription.
Open this authentication finding in the generator
Developer-ready ticket
# [Critical] Login: verification blocks password managers and requires a visual puzzle ## Summary for client / product owner Some users may be unable to sign in because the login flow requires solving a visual puzzle, blocks password-manager paste, and asks for the same one-time code again after a failed attempt. This can prevent users from managing orders, account data, or support requests. ## Developer ticket **Area / flow:** Login verification **Assistive technology context:** Not tested; impacts users who rely on password managers, copy/paste, screen readers, cognitive supports, or reduced transcription **Finding source:** WCAG 2.2 audit row **Suggested severity:** Critical **User impact:** Blocks task completion ### Expected behavior Users can complete authentication without being forced to solve a cognitive-function test or transcribe information from memory. Password managers, copy/paste, and one-time-code autofill are not blocked. If a CAPTCHA or bot check remains, an accessible alternative is available in the same flow. ### Actual behavior The login verification step requires a visual puzzle CAPTCHA. The password field blocks paste and interferes with password-manager fill. After a failed attempt, the flow asks users to re-enter the same one-time code instead of preserving or reusing the submitted code. ### Reproduction steps 1. Open the login page. 2. Use a password manager or paste a saved password into the password field. 3. Continue to the verification step. 4. Attempt to complete the visual puzzle without using the mouse or visual matching. 5. Enter an incorrect one-time code once and observe whether the flow asks for the same information again. ### Evidence / raw finding - WCAG 3.3.8 audit row: authentication depends on a visual puzzle challenge. - Password-manager paste is blocked in the password field. - One-time-code input is requested again after a failed attempt. ### Likely WCAG references to verify - 3.3.7 Redundant Entry - 3.3.8 Accessible Authentication (Minimum) - 3.3.9 Accessible Authentication (Enhanced) ### Acceptance criteria - Password managers and paste are allowed for password and one-time-code fields. - One-time-code autofill works where the platform supports it. - Users are not required to solve a visual, memory, transcription, or puzzle-only test to sign in. - If abuse protection remains, it has an accessible alternative that is available without leaving the login flow. - Information already supplied during the same process is reused or remains available unless there is a documented security reason not to. ### Fix direction Remove client-side paste blocking and password-manager interference. Replace puzzle-only verification with a method that does not require a cognitive-function test, or provide an accessible alternative in the same step. Preserve submitted one-time-code context after recoverable errors where security requirements allow it.
What to include from the audit note
- Authentication task: sign in, reset password, confirm purchase, manage booking, download invoice.
- Blocked mechanism: password manager, paste, one-time-code autofill, non-visual CAPTCHA alternative, remembered information, or repeated entry.
- Security constraint: anything the developer must preserve while removing the accessibility barrier.
- Retest path: keyboard-only login, screen reader login, password-manager fill, copy/paste, and failed-attempt recovery.