3.3.9 Accessible Authentication (Enhanced)

WCAG 2.2 · 3.3.9 AAA Understandable

What it requires

For every step of an authentication process that relies on a cognitive function test — such as remembering a password, solving a puzzle, or transcribing characters — at least one method must be available that does not rely on a cognitive function test. Unlike the AA criterion 3.3.8, the Enhanced level removes the two exceptions: object-recognition and personal-content CAPTCHAs are not permitted as the only alternative. So recognising photos of your pets, picking out traffic lights, or typing your own name to authenticate all fail at AAA.

A cognitive function test includes memorising, recalling, transcribing, solving puzzles, or performing calculations. The criterion is met when users can authenticate without any of these — for example with a passkey, a copy-and-paste-friendly one-time code, or third-party/federated sign-in.

  • People with cognitive, learning, or memory disabilities who cannot reliably recall passwords or solve puzzles.
  • People with dyslexia or dyscalculia, who struggle to transcribe character strings or perform calculations under time pressure.
  • Blind and low-vision users, for whom visual object-recognition CAPTCHAs are inaccessible.
  • Anyone whose disability makes the precise, error-free entry that passwords demand slow or unreliable.

How to detect it

Concrete checks for 3.3.9
Check How Pass condition
Password entry Walk through every login and account-recovery step manually. A non-memory path exists (passkey, emailed link, OTP) — and paste is allowed.
CAPTCHA / puzzle Inspect any challenge that gates authentication. No cognitive test is required; object-recognition CAPTCHA does NOT satisfy AAA.
Paste support Try pasting into password and OTP fields; check for autocomplete attributes. Paste works and the browser/password manager can fill the field.
Automated tools Run axe or similar. Cannot reliably detect this — it requires manual review of the auth flow.

How to fix it

  1. Offer a passwordless or federated option (passkeys/WebAuthn, "Sign in with…") so no memorised secret is needed.
  2. Where passwords remain, allow paste and let password managers autofill — never block paste and mark fields with the right autocomplete value.
  3. Remove puzzle and object-recognition CAPTCHAs from the authentication path; use non-cognitive anti-bot methods (device checks, tokens) instead.
  4. Make one-time codes copy-and-paste friendly rather than forcing manual transcription.

Mark credential fields so password managers and passkeys can fill them:

<label for="email">Email</label>
<input id="email" type="email" autocomplete="username">

<label for="pw">Password</label>
<input id="pw" type="password" autocomplete="current-password">
<!-- paste is never blocked; a passkey button offers a non-cognitive path -->
<button type="button">Sign in with a passkey</button>

Copy-paste tests

Automated coverage

There is no fully automated axe-core rule for 3.3.9. Whether an authentication step imposes a cognitive function test (and whether an exception applies) cannot be detected by a scanner, so this criterion needs manual review using the console check and steps below.

Run this in the browser console

console — find-auth-cognitive-tests.js
// Read-only: surfaces auth fields that may force a cognitive function test.
const suspects = [...document.querySelectorAll('input, [role=textbox]')].filter(el => {
  const ac = (el.getAttribute('autocomplete') || '').toLowerCase();
  const blocksPaste = el.onpaste && /preventDefault|return false/.test(String(el.onpaste));
  const noHelper = el.type === 'password' && !/current-password|new-password/.test(ac);
  const otpish = /otp|code|captcha|puzzle|memorable|security.?question/i.test(el.name + ' ' + el.id);
  return blocksPaste || noHelper || otpish;
});
suspects.forEach(el => el.style.outline = '2px solid red');
console.table(suspects.map(el => ({ tag: el.tagName, name: el.name, id: el.id, type: el.type, autocomplete: el.getAttribute('autocomplete') })));
console.log('Review each: does it require recalling/transcribing/solving? AAA forbids it unless an alternative exists.', suspects);

What to check manually: confirm no step asks the user to memorise, transcribe, or solve anything (no password recall, OTP retyping, or puzzle CAPTCHA) without a non-cognitive alternative such as a passkey, and verify paste is genuinely allowed by pasting into each field — a script cannot prove a real alternative actually completes sign-in.