When a user interface component receives keyboard focus, the focus indicator must meet a minimum contrast ratio of 3:1 against adjacent colour and cover at least the perimeter of a 2 CSS-pixel solid outline around the focused element, or an equivalent indicator area. The criterion is one of the few WCAG additions that specifies measurable geometry rather than behaviour.

The default browser focus rings that designers spent fifteen years overriding for aesthetic reasons fail this measurement on the majority of audited production sites. Custom focus styles tend to use 1px outlines or low-contrast accent colours that look correct in design tools but score below 3:1 against the background of the actual focused element.

The figure matters even though the criterion is AAA: it indicates what would happen if a future regulator pinned at WCAG 2.2 level AAA, or if a procurement contract elevated this one criterion.

Set a 2 CSS-pixel outline at a colour scoring at least 3:1 against the element’s background; verify with a contrast checker rather than by eye. Where the design system overrides browser focus, expose a focus-style token that designers cannot accidentally lower below the contrast threshold.

The hit target of every pointer input must be at least 24 by 24 CSS pixels, except where the target is inline in a sentence, where it is sized by the user agent, where an equivalent target is available, or where the target’s function is essential. The criterion measures the hit target, not the visible icon.

The criterion catches a specific UI pattern: dense icon toolbars, particularly in editors, dashboards, and data-table headers. Most icon-button libraries default to 16×16 or 20×20 visual icon sizes inside a slightly larger hit target. Where the hit target is also below 24×24, the criterion fails — and toolbar designers routinely tighten gaps to fit more icons into limited horizontal space.

Set a minimum hit-target token of 24 by 24 CSS pixels in the design system, applied via padding rather than the icon’s own dimensions. Where toolbars cannot accommodate the floor, add adequate spacing so adjacent targets are not within the criterion’s overlap exclusion. Provide a settings-level equivalent (a larger menu) for the genuinely cramped surfaces.

The authentication step for a website or app cannot rely on a cognitive-function test — solving a puzzle, transcribing a distorted image, recognising objects in a grid — unless an alternative authentication method is provided, an assistive mechanism is available, or an object-recognition exception applies. Memorising a password counts as a cognitive-function test, which is why password managers are explicitly accommodated.

Most image-based CAPTCHAs fail this on their face. So do “click the squares with traffic lights” challenges, distorted-text transcription tests, and any flow that pastes a one-time code into a field but disables the paste interaction. The pattern is concentrated in login, password-reset, and account-creation flows — exactly the high-stakes points where being locked out has the biggest cost.

Authentication flows are also the area where the criterion’s bite is sharpest, because the failure does not degrade the experience — it ends it.

Replace cognitive-function CAPTCHAs with a non-cognitive alternative — device-based attestation, magic links, passkeys, or invisible risk-scoring. Permit password-manager autofill. Ensure copy-paste works in one-time-code fields. Where a CAPTCHA must remain, provide an audio alternative that itself does not require transcription of distorted speech.

When a user-interface component receives keyboard focus, the focused element must not be entirely hidden by author-created content. Partial occlusion is permitted at this level (a sticky header overlapping the top half of a focused field is allowed); total occlusion is not.

The most common collision is a sticky header — sometimes a cookie banner or floating chat widget — that overlaps the focused form field when a keyboard user tabs into it. Production sites that layered a sticky header onto an existing form during the 2020–22 redesign era routinely missed the focus-and-scroll behaviour because the original form was authored before sticky elements existed.

Set scroll-margin-top (or scroll-padding-top on the scroll container) equal to the height of any sticky overlay. Test that tabbing through a long form scrolls the focused element fully into view below any header. Pair this with focused-visible styles so the user can see where focus actually landed.

Functionality that uses a dragging movement must also be operable through a single-pointer action — a tap, a click, or an equivalent that does not require sustained pointer motion. Drag-and-drop interactions are not banned; they simply cannot be the only available path to the function.

List-reordering and kanban-style UIs frequently ship with drag-only reordering. The same applies to slider controls implemented as draggable thumbs without a corresponding spinbutton or text input, and to image-cropper UIs that require a drag to set bounds. The criterion catches these every time.

For every drag interaction, ship an equivalent tap/click alternative — “move up” and “move down” buttons next to draggable list items, a numeric input next to a slider, a click-to-set-bounds mode in the cropper. Where the alternative is hidden in a contextual menu, ensure it is reachable via the keyboard.

Within the same authenticated process, do not require the user to enter the same information twice — unless re-entry is essential, the previous entry is no longer valid, or the information involves security (a password retype during account creation is the canonical exception). Auto-populating or selecting from previously entered values both satisfy the criterion.

Multi-step checkout flows, multi-page application forms, and visa/permit applications routinely ask for the same address, name, or contact information in two separate steps because the steps were built by different teams and never reconciled. The user’s previously entered values are not held in a session shared across the steps.

Persist user-entered values across steps of a single process; pre-fill matching fields in subsequent steps; or expose a one-click “use the same address” control. The pattern usually surfaces during process mapping rather than during front-end audit, so a cross-team flow review is the practical remediation step.

If a help mechanism is provided — a contact link, a help link, a chat widget, a support phone number, a self-help link — it must appear in the same relative location across pages where it is provided. The criterion does not require help to be present; only that, where it is present, its placement is consistent.

The criterion is straightforward in principle and catches a narrow set of sites that have a “Contact us” link in the header on some pages, in a footer on others, and inside a floating chat widget on a third set of pages — frequently the result of multiple site sections owned by different teams with separate templates.

Audit help-mechanism placement across templates; settle on a single canonical location (header, persistent footer, or floating widget) and reconcile any outliers. The fix is rarely technical; it is a content-and-template governance step.

The AAA cousin of 2.4.11: when a user-interface component receives keyboard focus, the focused element must not be obscured by author-created content at all. Partial occlusion is forbidden at this level — a sticky header that covers any part of the focused field fails.

The same sticky-overlay collisions that drive 2.4.11 failures persist at 2.4.12. Sites that adopted scroll-margin-top to satisfy the minimum criterion still tend to leave a few CSS pixels of overlap on edge-case viewport heights. At AAA, that overlap is the failure.

Tune scroll-margin-top to comfortably exceed the height of every author-created overlay, including dynamic ones (cookie banners that appear on first visit, chat widgets that expand on hover). Add explicit regression tests for tab-into-form behaviour at common viewport sizes.

The AAA cousin of 3.3.8: authentication cannot rely on a cognitive-function test, period. The exceptions for object recognition and personal content that apply at AA do not apply here. Memory tests, transcription tests, and image-recognition challenges all fail at this level.

Even sites that replaced traditional CAPTCHAs with object-recognition challenges (the AA exception) fail 3.3.9. The criterion is the working group’s signal about where authentication should go: away from cognitive challenges entirely, and toward device attestation or biometric verification.

Adopt passkeys (WebAuthn) as the primary authentication mechanism; treat password-plus-passkey as a transition state rather than a destination. Where image recognition has been retained for risk-scoring, run it server-side from behavioural signals rather than as a user-facing challenge.