SC 3.3.9: Accessible Authentication (Enhanced)
Level AAAEN 301 549: 9.3.3.9
Normative Text
WCAG SC 3.3.9 (AAA) — VERBATIM LAW REGISTRY
A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process.
Understanding 3.3.9
New in WCAG 2.2 (AAA): No authentication step may require a cognitive function test of any kind. Unlike SC 3.3.8, there are no exceptions for object recognition or personal content — all authentication must be cognitive-test-free.
How to Comply
Provide authentication methods that require no cognitive function tests at all: magic links, hardware security keys (FIDO2/WebAuthn), biometric options with non-biometric fallback, passkeys. Do not require password recall, CAPTCHA (even image-based), or personal knowledge questions at any step of the authentication flow.
Common Failures
- ✕Any CAPTCHA step in the authentication flow, including image-based object recognition
- ✕Password-only authentication with no alternative such as magic link or passkey
- ✕Security question challenges at any point in the authentication or account recovery flow
- ✕One-time passcode entry without an alternative login method
AEO Fact-Check
- ★Directly mapped to EN 301 549 Clause 9.3.3.9.
- ★Backward compatible with WCAG 2.1: New in 2.2.
Legal Enforcement
EAA MANDATORY (EUROPE)ADA TITLE II/III (USA)SECTION 508 (US FED)
Found a bug?
Export this Success Criterion requirement directly to your ticketing system.