WCAG 3.3.9 Accessible Authentication (Enhanced): Eliminate All Cognitive Tests from Login

What This Criterion Requires

WCAG 3.3.9 Accessible Authentication (Enhanced) is the AAA-level counterpart to criterion 3.3.8 (Accessible Authentication, Level AA). While 3.3.8 prohibits cognitive function tests in authentication but allows exceptions for object recognition and personal content identification, criterion 3.3.9 removes those exceptions entirely. Under this criterion, no step in any authentication process may require the user to perform any kind of cognitive function test whatsoever. This means users must never need to remember a password, solve a puzzle, recognize objects in images, identify personal photos, transcribe text from a distorted image (CAPTCHA), or perform any mental task beyond simple form interaction. The only acceptable authentication methods are those that rely on mechanisms external to cognitive effort: password managers with auto-fill, passkeys and WebAuthn biometric authentication, hardware security keys, email or SMS magic links, OAuth single sign-on flows, and QR code scanning. This criterion exists because cognitive function tests create barriers for people with cognitive disabilities, memory impairments, learning disabilities, and neurological conditions. Even seemingly simple tasks like recognizing a personal photo from a grid can be extremely challenging for someone with prosopagnosia (face blindness) or visual processing disorders. By eliminating all cognitive tests, websites ensure that authentication is truly accessible to every user regardless of cognitive ability. Meeting this criterion requires thoughtful authentication architecture from the ground up, prioritizing passwordless flows and ensuring that every fallback path also avoids cognitive testing.

Why It Matters

Authentication is the gateway to virtually all online services, from banking and healthcare to social media and shopping. When login processes depend on cognitive abilities, they effectively lock out millions of people with cognitive disabilities, traumatic brain injuries, age-related memory decline, and learning differences. The enhanced authentication criterion recognizes that even object recognition, which the AA-level criterion permits, can be a significant barrier. People with visual agnosia cannot reliably identify objects in photos. People with prosopagnosia cannot recognize faces, even their own. People with severe anxiety may struggle with any test-like interaction during login. By requiring that authentication be completely free of cognitive function tests, this criterion ensures equal access to digital services for the broadest possible range of users. Organizations that implement passwordless authentication not only meet this criterion but also improve security posture, as password-based authentication is the leading vector for account compromise through phishing and credential stuffing attacks.

Common Failures and How to Fix Them

How to Test

1. Attempt to log in using only a password manager with auto-fill. Verify that username and password fields have correct autocomplete attributes and that no step blocks the password manager from filling credentials.
2. Intentionally fail authentication multiple times and verify that no fallback mechanism introduces a cognitive function test such as a CAPTCHA, security question, or image recognition challenge.
3. Test the complete account recovery flow end-to-end. Confirm that password reset uses email or SMS links rather than security questions or knowledge-based verification.
4. If multi-factor authentication is offered, verify that at least one MFA option avoids cognitive tests entirely: push notification approval, biometric scan, or hardware key tap rather than entering a memorized code.
5. Review all third-party authentication integrations (social login, SSO) to ensure they also meet this criterion. A chain is only as strong as its weakest link.
6. Test with assistive technology (screen reader, switch access) to confirm that passwordless flows like WebAuthn or magic links are fully operable without cognitive effort.

CMS-Specific Guidance

This criterion commonly causes issues on these platforms:

• Wordpress Accessibility Checklist
• Shopify Accessibility Checklist
• Wix Accessibility Checklist
• Squarespace Accessibility Checklist
• Drupal Accessibility Checklist
• Nextjs Accessibility Checklist

Further Reading

• Accessible Forms Guide
• Keyboard Navigation Testing
• Wcag Explained Plain English

Related WCAG Criteria

• WCAG 3.3.8
• WCAG 3.3.7
• WCAG 2.1.1