Level AAA

At AAA, image-based CAPTCHAs and personal-content challenges fail outright: 3.3.9 removes the object-recognition and user-provided-content exceptions that 3.3.8 still allows

3.3.9 Accessible Authentication (Enhanced)

In Plain Language

3.3.9 Accessible Authentication (Enhanced) is Level AAA and new in WCAG 2.2[1]. The normative rule is identical to 3.3.8 (Minimum) -- no step of an authentication process may require a cognitive function test such as recalling a memorized secret, transcribing a code, solving a puzzle, or performing a calculation -- but 3.3.9 removes two of the four exceptions that 3.3.8 still permits.

3.3.8 allows four escape hatches: (a) an alternative authentication method that is not a cognitive function test, (b) a mechanism that assists the user in completing the test (the password-manager exception), (c) the test is object recognition, and (d) the test is identifying non-text content the user provided. At AAA, exceptions (c) and (d) are gone. Image-grid CAPTCHAs ("select all photos with traffic lights") and personal-content challenges ("pick the photo you uploaded") pass 3.3.8 but fail 3.3.9.

Exceptions (a) and (b) remain at AAA. A password field still satisfies 3.3.9 as long as browsers and password managers can auto-fill it -- the assistance mechanism is itself the compliance path. The AAA bar is not "no passwords"; it is "no recognition puzzles, and nothing that blocks password managers or passwordless flows."

Why It Matters

  • Object-recognition CAPTCHAs encode a cognitive function test in the form of visual classification. Users with cognitive or learning disabilities, low-vision users relying on magnification, and users unfamiliar with the depicted objects (a North American fire hydrant, a yellow school bus) cannot reliably pass them. 3.3.8 tolerated this trade-off; 3.3.9 does not.
  • Personal-content challenges ("select the photo you uploaded at signup") require the user to recall and recognize something from episodic memory. That is the definition of a cognitive function test. At AAA the exception is removed because the population 3.3.9 is written to protect -- people with memory and recall impairments -- is the population personal-content challenges lock out.
  • The two exceptions that survive at AAA push implementation toward WebAuthn / passkeys, platform biometrics, SSO, magic links, and password fields that cooperate with password managers via correct autocomplete tokens. These are the authentication paths that impose zero cognitive load on the user regardless of ability.
  • AAA is the target for government services, healthcare portals, and any login flow where exclusion has a real cost. 3.3.9 is the criterion that forecloses recognition-puzzle authentication as a design option at that bar[1].

Examples

Do: Offer passkey or biometric authentication

Sign In

or
or

✔ All methods require zero cognitive function tests -- no memorization, recognition, or puzzles

<button>Sign in with Passkey</button>
<p>or</p>
<button>Sign in with Fingerprint</button>
<p>or</p>
<button>Sign in with Email Link</button>
<!-- All options bypass cognitive function tests
     entirely -- no memorization or recognition -->
Don't: Use image recognition CAPTCHA as the only alternative

Verify You Are Human

Select all images with traffic lights

img 1
img 2
img 3
img 4
img 5
img 6
img 7
img 8
img 9

✘ Object recognition CAPTCHA is a cognitive function test -- not allowed under 3.3.9 even though it passes 3.3.8

<!-- FAILS 3.3.9: object recognition is a
     cognitive function test -->
<p>Select all images with traffic lights</p>
<div class="captcha-grid">
  <img src="img1.jpg" alt="">
  <img src="img2.jpg" alt="">
  <!-- ... more images ... -->
</div>
<!-- This passes 3.3.8 (object recognition exception)
     but FAILS 3.3.9 (no exceptions allowed) -->
Do: Support password manager auto-fill on all credential fields

Sign In

✔ All fields support autocomplete -- the password manager handles the cognitive burden

<label for="email">Email</label>
<input id="email" type="email"
  autocomplete="username">

<label for="pw">Password</label>
<input id="pw" type="password"
  autocomplete="current-password">

<label for="otp">Verification code</label>
<input id="otp" type="text"
  autocomplete="one-time-code">
<!-- Every field uses autocomplete so the user
     never needs to memorize or transcribe -->
Don't: Require selecting personal content to authenticate

Security Check

Select the photo you uploaded during setup

Photo A
Photo B
Photo C
Photo D
Photo E
Photo F

✘ Personal content recognition is a cognitive function test -- not allowed under 3.3.9

<!-- FAILS 3.3.9: personal content recognition
     is a cognitive function test -->
<p>Select the photo you uploaded during setup</p>
<div class="photo-grid">
  <button><img src="a.jpg" alt="Photo A"></button>
  <button><img src="b.jpg" alt="Photo B"></button>
  <!-- ... more photos ... -->
</div>
<!-- Requires user to remember which photo they
     chose -- passes 3.3.8 but fails 3.3.9 -->

How to Fix It

  1. Prefer a non-cognitive authentication path as the primary flow. WebAuthn / passkeys, platform biometrics, OAuth / SSO, and email magic links all satisfy exception (a) -- they are authentication methods that do not rely on a cognitive function test at all. Offering one of these as the first option is the most direct way to clear the AAA bar.
  2. Make every credential field cooperate with password managers. Exception (b), the assistance mechanism, is what keeps password fields alive at AAA. Use the correct autocomplete tokens from the HTML spec (username, current-password, new-password, one-time-code) on every login, signup, and verification input. Do not block paste. Do not strip autocomplete with autocomplete="off" on credential inputs -- this is the single most common failure mode that collapses the exception.
  3. Delete image-grid CAPTCHAs from the authentication flow. "Select all images with traffic lights" is object recognition, which was exception (c) at 3.3.8 and is no longer permitted at 3.3.9. Replace with invisible bot-detection challenges (behavioral signals, device-attestation, proof-of-work) that require no user interaction.
  4. Remove personal-content verification steps. "Select the photo you uploaded" and "identify your security image" fall under the removed (d) exception. Replace with device-bound tokens, email / SMS verification with autocomplete="one-time-code", or passkey re-authentication.
  5. Treat the MFA step as a full authentication step. 3.3.9 applies to every step of the process. A one-time code prompt that does not accept paste, does not autofill, and expects the user to transcribe six digits by eye is itself a cognitive function test. Mark the input with autocomplete="one-time-code", accept paste, and allow authenticator-app autofill.
  6. Audit every authentication path, not just primary login. Account recovery, step-up re-authentication, session-timeout re-login, and admin impersonation flows must each independently satisfy 3.3.9. A compliant primary login with a recovery flow that drops the user into an image CAPTCHA fails the criterion.

References

  1. [1] W3C (2023). Understanding Success Criterion 3.3.9: Accessible Authentication (Enhanced). W3C, Accessed 2026-04-07. https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-enhanced.html