Accessible Authentication (Enhanced)
WCAG 2.2 Success Criterion 3.3.9, Level AAA. The stricter sibling of 3.3.8: no cognitive-function test at login, with even object-recognition and personal-content tests removed as exceptions.
What it requires
The difference from the AA version is what is missing: 3.3.8 also lets a cognitive test pass if it is object recognition or identifying personal content the user provided. 3.3.9 deletes both of those exemptions, leaving only the alternative and the help mechanism (Source: W3C, Understanding SC 3.3.9 ) .
Minimum (3.3.8) vs Enhanced (3.3.9)
| Exception allowed? | 3.3.8 (AA) | 3.3.9 (AAA) |
|---|---|---|
| Alternative (non-cognitive method) | Yes | Yes |
| Mechanism (help to complete the test) | Yes | Yes |
| Object recognition (“pick the cars”) | Yes — permitted | No — removed |
| Personal content (“name your first pet”) | Yes — permitted | No — removed |
Who it helps
The same users as 3.3.8, with a stricter guarantee — people with cognitive issues relating to memory, reading (for example, dyslexia), numbers (for example, dyscalculia), or perception-processing limitations (Source: W3C, Understanding SC 3.3.9 ) . Object-recognition and personal-content tests still place real cognitive load on these users, which is why the Enhanced level removes them.
How to meet it
The reliable path is to offer a login that needs no cognitive test at all:
- Passkeys / WebAuthn — biometric or device-based login with nothing to remember or transcribe.
- Email or SMS magic links — the user clicks a link rather than recalling a secret (technique G218 (Source: W3C Technique G218 ) ).
- Federated / OAuth sign-in — “Continue with…” delegates authentication to an existing session.
- Password fields that allow autofill and paste, properly marked up so password managers work (technique H100 (Source: W3C Technique H100 ) ).
Replace image-recognition CAPTCHA with a non-cognitive bot check (a token, a passkey step, or a privacy-preserving attestation). Avoid security questions about personal history.
Should you target it?
3.3.9 is Level AAA, and W3C does not recommend AAA as a blanket policy for entire sites (Source: W3C, Understanding Conformance ) . But authentication is a high-stakes, narrow surface, and modern passwordless patterns make the Enhanced bar very achievable. If you are already meeting 3.3.8 with passkeys or magic links, you are likely meeting 3.3.9 too. The main thing to retire is image-recognition CAPTCHA and personal-history security questions.
How to test it
- Walk through every step of every login path (initial sign-in, MFA, account recovery).
- At each step, ask: does it require remembering, transcribing, recognizing an object, or recalling personal content? If yes, it is a cognitive function test.
- For any such step, confirm a non-cognitive alternative or a help mechanism is available — and that object-recognition and personal-content tests are not being relied on, since 3.3.9 no longer exempts them.
- Verify password fields permit autofill and paste, and that one-time codes can be pasted.
Common questions
How is 3.3.9 different from 3.3.8?
Both ban cognitive-function tests (like remembering a password or transcribing a code) during login unless an alternative or a help mechanism is provided. 3.3.8 (AA) additionally permits object-recognition and personal-content tests; 3.3.9 (AAA) removes those two exceptions, so even "click every photo with a car" or "what is your pet’s name" no longer qualify.
Is Accessible Authentication (Enhanced) required for AA or ADA compliance?
No. 3.3.9 is Level AAA, so it is beyond a WCAG 2.2 AA target and is not the courtroom benchmark. The AA-level requirement is 3.3.8 (Minimum). 3.3.9 is best practice for the most inclusive login.
Does 3.3.9 ban CAPTCHA entirely?
Effectively, the common kinds. Image-recognition CAPTCHAs ("select all crosswalks") rely on object recognition, which 3.3.9 no longer exempts. To meet it you need a non-cognitive alternative such as a passkey, an email link, or a token-based check.