WCAG 2.2 (AAA) SC 3.3.9 Accessible Authentication (Enhanced) (w3.org)
Issue description
WCAG 3.3.9, “Accessible Authentication (Enhanced)” builds upon the Level AA criterion 3.3.8 by setting stricter requirements for accessible authentication. While 3.3.8 focuses on avoiding cognitive function tests, this Level AAA criterion aims to minimize all barriers that authentication processes might create for users with disabilities.
Even when cognitive function tests are avoided, authentication processes can still pose challenges for users with:
- Cognitive disabilities: Users with cognitive disabilities might have difficulty with tasks like remembering passwords, understanding complex instructions, or managing multiple authentication steps.
- Visual impairments: Users with visual impairments might struggle to see or interact with certain authentication elements or understand complex layouts.
- Motor impairments: Users with motor impairments might have difficulty entering text accurately or interacting with small controls.
WCAG requirements
This guideline requires that authentication processes do not require user cognitive tests and that at least one of the following is true:
- Single-step authentication: The authentication process can be completed in a single step, without requiring multiple steps or interactions.
- Limited short-term memory: The authentication process does not require users to remember information from one step to the next.
- Assistive technology compatibility: The authentication process is compatible with assistive technologies and does not require visual or auditory interaction.
Benefits
- Enhanced accessibility: It makes authentication processes more accessible to a wider range of users with disabilities.
- Reduced cognitive load: It minimizes the cognitive effort required to complete authentication, making it easier for users with cognitive disabilities.
- Improved user experience: It creates a more inclusive and user-friendly experience for everyone.
Essentially, this guideline promotes a higher level of accessibility by encouraging websites to minimize all potential barriers in authentication processes. This includes simplifying the process, reducing cognitive load, and ensuring compatibility with assistive technologies.
Related requirements
The following WCAG source criteria are often related to this as well. They can provide additional insights into specific challenges you may be encountering.
Who this issue impacts
Follow the links for additional information on user impairments:
Suggestions for remediation
Remediating WCAG 3.3.9 “Accessible Authentication (Enhanced)” involves minimizing all potential barriers in authentication processes to make them accessible to the widest range of users with disabilities. Here’s how:
Avoid cognitive function tests
- No CAPTCHA: Avoid using any type of CAPTCHA, including visual, audio, or cognitive tests. These can be challenging for users with visual, auditory, or cognitive disabilities.
- No time limits: Remove any time limits on authentication processes, as this can create pressure and anxiety for users with cognitive disabilities.
- Simplify processes: Avoid requiring users to remember or enter complex sequences of information. Keep the number of steps and required actions to a minimum.
Prioritize single-step authentication
- Single action: Whenever possible, allow users to authenticate with a single action, such as:
- One-click login with a remembered device or biometric authentication.
- Magic links sent to the user’s email address.
- Social media login.
Minimize short-term memory requirements
- Don’t require recall: Avoid requiring users to remember information from one step to the next. If multiple steps are necessary, display the previously entered information for confirmation.
- Provide visual cues: Use visual cues, such as progress indicators, to help users understand where they are in the authentication process.
Ensure compatibility with assistive technologies
- Keyboard accessibility: Make sure all controls and forms in the authentication process can be operated using the keyboard alone.
- Screen reader compatibility: Ensure that the authentication process is compatible with screen readers and other assistive technologies. Provide clear labels, instructions, and alternative text for all elements.
- Avoid visual or auditory-only interaction: Don’t rely solely on visual or auditory cues for authentication. Provide alternatives for users who cannot see or hear.
Testing
- Test with assistive technologies: Thoroughly test the authentication process with screen readers and other assistive technologies to ensure it is accessible.
- User testing: Conduct user testing with people with a variety of disabilities (cognitive, visual, motor) to get feedback on the usability of the authentication process.
Examples
- Instead of a multi-step process: Allow users to log in with a single click using a remembered device or biometric authentication.
- Instead of requiring users to remember a code: Send a magic link to their email address that allows them to log in directly.
- Instead of relying solely on visual cues: Provide clear text instructions and alternative text for images in the authentication process.
By implementing these techniques, you can create authentication processes that are more accessible and inclusive, allowing users with disabilities to easily and independently access your website or application.
