Resource guide
3.3.9 Accessible Authentication (Enhanced)
Logging in must not require any cognitive function test at all, with no exceptions for object recognition or personal content.
By Calling All Minds·Last updated April 2026
Success criterion
Conformance level
Enhanced accessibility — beyond the legal minimum.
Added in WCAG 2.2
What it means
This is the enhanced version of 3.3.8 (Level AA). Where Level AA allows object recognition and personal content tests as alternatives to transcription tasks, Level AAA removes those options entirely. No cognitive function test of any kind may be required as the only authentication method.
At Level AAA, authentication must be achievable through a method that requires no memory, transcription, or recognition. Passkeys, magic links, and biometric authentication all satisfy this criterion.
In practice
Implement passkey authentication (WebAuthn) as a login option.
Offer magic link login via email as an alternative.
Support biometric authentication on devices that provide it.
Ensure password manager autofill works perfectly on all login fields.
Common failures
- Login system that requires memorising a password with no alternative authentication method
- System where the only authentication options all involve cognitive function tests
AXS Audit
AXS Audit checks your site against 3.3.9 and flags issues your team can act on straight away. It covers criteria that automated scanners often miss.