3.3.9 Accessible Authentication (Enhanced)
A cognitive function test is not required for any step in an authentication process.
What this rule means
WCAG 3.3.9 (new in WCAG 2.2) is the AAA enhancement of 3.3.8. While 3.3.8 allows cognitive tests if an alternative is provided, 3.3.9 prohibits cognitive function tests entirely in authentication — no exceptions for object recognition or personal content.
This means no CAPTCHA of any kind (including image selection), no security questions, and no password recall without password manager support. Authentication must be fully achievable without cognitive effort.
Why it matters
This provides the highest level of authentication accessibility. It ensures that users with severe cognitive disabilities can authenticate without any cognitive barriers whatsoever.
Related axe-core rules
There are no automated axe-core rules for this criterion.
How to test
- Review every authentication step for any cognitive requirement.
- Verify that no step requires memory, transcription, pattern recognition, or puzzle solving.
- Confirm authentication works with passkeys, biometrics, or magic links alone.
How to fix
Implement fully cognitive-test-free authentication:
- Use WebAuthn/passkeys as the primary authentication method.
- Offer biometric authentication (fingerprint, face recognition).
- Provide magic link (email-based) authentication.
- Support OAuth/SSO from providers that offer accessible auth.
- Remove all CAPTCHA, security questions, and image-based verification.
Common mistakes
- Relying on CAPTCHA even with an "accessible" audio alternative.
- Security questions that require memory recall.
- Image-based verification (select all traffic lights).