WCAG 3.3.9 — Accessible Authentication (Enhanced)
At AAA, cognitive function tests are simply not allowed in authentication, with object-recognition and personal-content exceptions intact. Passkeys, magic links, and biometric flows become the practical path.
What this requires
A cognitive function test is not required for any step in an authentication process, unless that step relies on object recognition or identifying non-text content the user provided to the site. The AAA criterion removes the "alternative" and "mechanism" exceptions that 3.3.8 permits.
How AI coding tools fail this
Same failure shapes as 3.3.8, with the AA exceptions removed. AI- generated password login fails AAA even when paste is allowed and magic-link alternatives exist — the cognitive test (remembering the password) is still there.
The AAA-specific failure: teams that have hardened to AA's 3.3.8 through password manager support and now realise that, at AAA, the password path itself has to go. Passkeys, biometrics, and magic links replace it.
Edge cases
- AAA scope. Most projects target AA. AAA replaces password as the default; passkeys are the contemporary answer.
- Object recognition ("pick the traffic lights") remains an exempted form of test, though it's poor UX.
- Personal content challenges ("which of these is your profile photo") are exempt.
- WebAuthn / Passkeys satisfy AAA cleanly.
- Account recovery has to follow the same standard — a password-reset flow that requires remembering a password fails AAA.
How Jeikin handles this
For AAA-targeting projects, the dashboard records whether the authentication flow includes a passwordless path that the user can default to. The scanner findings from 3.3.8 are reused, with the AAA exceptions disabled.