Loading Developer Playground

Loading ...

Skip to main content
Developer Playground
Share:
Back to WCAG Explorer
Previous
3.3.8 Accessible Authentication (Minimum)
Level AA
Next
4.1.1 Parsing
Level A

Success Criterion · WCAG 3.3.9

Accessible Authentication (Enhanced)

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following: an alternative authentication method that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.

Level AAAWCAG 2.2Understandable3.3 · Input Assistance
Copy button ready

Goal

Provide authentication without any cognitive function tests (enhanced).

What to do

Offer authentication methods that do not rely on memory, transcription, or puzzles at all, except for recognizing objects or user-provided content.

Why it matters

Some users cannot reliably complete cognitive tests; enhanced methods like passkeys remove barriers.

Success criterion

What WCAG 3.3.9 requires

Summarized directly from the official Understanding document so teams can quote the requirement accurately.

A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process, unless that step provides at least one of the following: (1) Alternative: Another authentication method that does not rely on a cognitive function test; (2) Object recognition; (3) Personal content.

Understanding DocQuickRef

Intent

Why WCAG created this requirement

  • AAA aims to eliminate cognitive barriers in authentication.
  • Strong modern auth methods (passkeys) can satisfy this well.
  • Object recognition/personal content can be used but must be accessible.

Benefits

Who gains when you pass

  • Users with cognitive disabilities can authenticate without memory challenges.
  • Users benefit from faster, safer authentication methods like passkeys.
  • Reduced lockouts and fewer support requests.

Why it matters

User impact when this criterion fails

Summaries drawn from the Understanding document help you socialize impact statements with product stakeholders.

Without cognitive-free alternatives, some users may be unable to authenticate at all.

Users may be forced into insecure coping strategies (writing passwords down) if no alternatives exist.

Overview

This AAA criterion strengthens 3.3.8 by removing the “assistance mechanism” option. Authentication must offer methods that do not depend on cognitive function tests (e.g., passkeys, device biometrics, magic links) except for object recognition or personal content recognition.

  • Offer at least one authentication method that avoids cognitive tests entirely (passkeys, magic links, trusted device).
  • Avoid mandatory transcription challenges (e.g., typing codes from images).
  • Ensure recovery flows also meet this requirement.

Reference: All summaries and highlights originate from Understanding WCAG 3.3.9 and the W3C quick reference.

Understanding DocTechniques

Fast facts

Conformance level
Level AAA
WCAG version introduced
WCAG 2.2
Principle
Understandable
Guideline
3.3 · Input Assistance

Examples

Make success tangible for teams

Share pass/fail snapshots to coach designers, engineers, QA, and content authors.

Passkeys

Pass

User can sign in with a passkey and never types or remembers a password.

Fail

User must memorize and type a complex password to sign in.

Recovery

Pass

Recovery uses magic link or trusted device without puzzle/transcription.

Fail

Recovery requires solving puzzles or transcribing distorted text.

Evidence to keep

Document conformance decisions

Capture artifacts for VPATs, procurement reviews, and regression testing.

  • Document supported authentication methods and which meet AA vs AAA.
  • Capture evidence of passkey/magic-link options in the UI.

Official resources

Deep dives and supporting material

Keep these links handy when writing acceptance criteria or responding to audits.

Understanding 3.3.9

Official W3C interpretation, techniques, and intent for Accessible Authentication (Enhanced).

Quick Reference 3.3.9

Filterable list of sufficient techniques and failures.

Implementation checklist

Capture progress and blockers

  • Provide at least one cognitive-free authentication method (e.g., passkeys).
  • Ensure all auth steps (including MFA and recovery) avoid cognitive tests or provide alternative method.
  • Avoid CAPTCHA-like puzzles as part of authentication.
  • Document how your auth flows satisfy AAA criteria.

Testing ideas

Prove conformance with evidence

  • Test end-to-end authentication using the cognitive-free method.
  • Verify no step requires memorization or puzzle solving for the chosen method.
  • Test account recovery and ensure it also avoids cognitive tests.

Related success criteria

More from Input Assistance (3.3)

View all criteria
WCAG 3.3.1Error IdentificationLevel AWCAG 3.3.2Labels or InstructionsLevel AWCAG 3.3.3Error SuggestionLevel AAWCAG 3.3.4Error Prevention (Legal, Financial, Data)Level AAWCAG 3.3.5HelpLevel AAAWCAG 3.3.6Error Prevention (All)Level AAAWCAG 3.3.7Redundant EntryLevel AWCAG 3.3.8Accessible Authentication (Minimum)Level AA
Previous
3.3.8 Accessible Authentication (Minimum)
Level AA
Next
4.1.1 Parsing
Level A
Back to WCAG Explorer