Accessible Authentication (Enhanced)

What it asks

This AAA criterion removes the two narrow exceptions allowed at AA (3.3.8): object recognition and personal-content identification are also forbidden. Authentication must require no cognitive function test of any kind, with no exceptions — unless an alternative authentication method that requires no cognitive function test is available.

In practice this means a fully accessible authentication option exists somewhere in the flow, even if other options remain.

How to meet it

• Offer passkeys / WebAuthn as a first-class option — they use the device’s biometric or PIN unlock, no cognitive test required.
• Offer magic-link sign-in via email as a no-cognitive-test alternative.
• Support OAuth / social sign-in.
• Support hardware security keys (FIDO2).
• Ensure that wherever the user lands, at least one of these paths is reachable without a CAPTCHA or recall-based fallback.

Common failures

• Sites that meet 3.3.8 only by allowing password managers, with no biometric, passkey, or magic-link option for users who don’t use password managers.
• Authentication that requires identifying the user’s own profile photo (object recognition / personal content) — fine for AA, fails AAA.
• Step-up authentication for sensitive actions that always escalates to a recall-based test.

Why it matters

AAA is rarely a compliance target, but for high-stakes services — banking, healthcare portals, government identity systems — meeting 3.3.9 is increasingly the right product decision. Passkeys are now broadly supported across iOS, Android, Windows, and macOS, and they satisfy the criterion for the user populations who needed it most. The path from 3.3.8 to 3.3.9 is usually a single product investment: add passkey support as a primary authentication method.