3.3.9 Accessible Authentication (Enhanced)
WCAG 2.2 · 3.3.9 AAA Understandable
What it requires
For every step of an authentication process that relies on a cognitive function test — such as remembering a password, solving a puzzle, or transcribing characters — at least one method must be available that does not rely on a cognitive function test. Unlike the AA criterion 3.3.8, the Enhanced level removes the two exceptions: object-recognition and personal-content CAPTCHAs are not permitted as the only alternative. So recognising photos of your pets, picking out traffic lights, or typing your own name to authenticate all fail at AAA.
A cognitive function test includes memorising, recalling, transcribing, solving puzzles, or performing calculations. The criterion is met when users can authenticate without any of these — for example with a passkey, a copy-and-paste-friendly one-time code, or third-party/federated sign-in.
- People with cognitive, learning, or memory disabilities who cannot reliably recall passwords or solve puzzles.
- People with dyslexia or dyscalculia, who struggle to transcribe character strings or perform calculations under time pressure.
- Blind and low-vision users, for whom visual object-recognition CAPTCHAs are inaccessible.
- Anyone whose disability makes the precise, error-free entry that passwords demand slow or unreliable.
How to detect it
| Check | How | Pass condition |
|---|---|---|
| Password entry | Walk through every login and account-recovery step manually. | A non-memory path exists (passkey, emailed link, OTP) — and paste is allowed. |
| CAPTCHA / puzzle | Inspect any challenge that gates authentication. | No cognitive test is required; object-recognition CAPTCHA does NOT satisfy AAA. |
| Paste support | Try pasting into password and OTP fields; check for autocomplete attributes. | Paste works and the browser/password manager can fill the field. |
| Automated tools | Run axe or similar. | Cannot reliably detect this — it requires manual review of the auth flow. |
How to fix it
- Offer a passwordless or federated option (passkeys/WebAuthn, "Sign in with…") so no memorised secret is needed.
- Where passwords remain, allow paste and let password managers autofill — never block paste and mark fields with the right autocomplete value.
- Remove puzzle and object-recognition CAPTCHAs from the authentication path; use non-cognitive anti-bot methods (device checks, tokens) instead.
- Make one-time codes copy-and-paste friendly rather than forcing manual transcription.
Mark credential fields so password managers and passkeys can fill them:
<label for="email">Email</label>
<input id="email" type="email" autocomplete="username">
<label for="pw">Password</label>
<input id="pw" type="password" autocomplete="current-password">
<!-- paste is never blocked; a passkey button offers a non-cognitive path -->
<button type="button">Sign in with a passkey</button>
Copy-paste tests
Automated coverage
There is no fully automated axe-core rule for 3.3.9. Whether an authentication step imposes a cognitive function test (and whether an exception applies) cannot be detected by a scanner, so this criterion needs manual review using the console check and steps below.
Run this in the browser console
// Read-only: surfaces auth fields that may force a cognitive function test.
const suspects = [...document.querySelectorAll('input, [role=textbox]')].filter(el => {
const ac = (el.getAttribute('autocomplete') || '').toLowerCase();
const blocksPaste = el.onpaste && /preventDefault|return false/.test(String(el.onpaste));
const noHelper = el.type === 'password' && !/current-password|new-password/.test(ac);
const otpish = /otp|code|captcha|puzzle|memorable|security.?question/i.test(el.name + ' ' + el.id);
return blocksPaste || noHelper || otpish;
});
suspects.forEach(el => el.style.outline = '2px solid red');
console.table(suspects.map(el => ({ tag: el.tagName, name: el.name, id: el.id, type: el.type, autocomplete: el.getAttribute('autocomplete') })));
console.log('Review each: does it require recalling/transcribing/solving? AAA forbids it unless an alternative exists.', suspects);
What to check manually: confirm no step asks the user to memorise, transcribe, or solve anything (no password recall, OTP retyping, or puzzle CAPTCHA) without a non-cognitive alternative such as a passkey, and verify paste is genuinely allowed by pasting into each field — a script cannot prove a real alternative actually completes sign-in.
Related
- WCAG 2.2 criteria index
- Learn catalog
- Accessible forms — labels, input purpose, and credential autocomplete.