Accessible Authentication | Frontend Foundations

01 — Purpose

Sign-in, MFA, password reset, and session timeout are high-traffic, high-stress flows. Inaccessible CAPTCHA, hidden errors, and keyboard traps lock users out while trying to protect the system.

See MFA verification, password strength UI, and account recovery.

02 — Principles

accessible MFA — labelled code inputs, paste support, clear errors
password manager support — correct autocomplete attributes on fields
readable error messages — linked to fields, announced, plain language
keyboard accessibility — full flow without pointer; see keyboard navigation

03 — Practice

use semantic form fields — label for, visible labels, logical tab order
expose validation errors in text — not colour-only or icon-only; see live regions for async feedback
support MFA paste and backup codes — see MFA verification
warn before session timeout with extend option — see session timeout
adequate touch targets on mobile sign-in — see touch target standards

04 — Avoid

inaccessible CAPTCHA systems — image-only challenges with no alternative
hidden validation — errors only in toast or colour change
aggressive timeout behaviour — silent logout mid-form with no warning
custom inputs that break password managers or autofill
MFA codes in split inputs with no paste support or confusing focus jumps

05 — Close

Run auth flows with wrong password, expired MFA, and locked account states. Security messaging must be readable, announceable, and actionable for everyone.

See account recovery, screen reader testing, and accessibility QA checklist.

Secure and usable sign-in

Secure systems should remain usable

Good accessible authentication

Security that excludes

Test sign-in like a stressed user