Understanding SC 3.3.9: Accessible Authentication (Enhanced) (Level AAA)
In Brief
- Goal
- Make logins possible with less mental effort.
- What to do
- Don't make people recognize objects or user-supplied images and media to login.
- Why it's important
- Some people with cognitive disabilities can't do puzzles, including identifying objects and non-text information they previously supplied.
Success Criterion (SC)
A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following:
- Alternative
- Another authentication method that does not rely on a cognitive function test.
- Mechanism
- A mechanism is available to assist the user in completing the cognitive function test.
Intent
The purpose of this success criterion is to ensure there is an accessible, easy-to-use, and secure method to log in, access content, and undertake tasks. This criterion is the same as Accessible Authentication (Minimum) but without the exceptions for objects and user-provided content.
Any required step of the authentication process:
- cannot display a selection of images, videos, or audio clips, where users must choose which image they provided;
- cannot display a selection of images, where users must choose the images which contain a specific object, such as a car.
Benefits
The benefits of this success criterion are the same as Accessible Authentication (Minimum).
People with cognitive issues relating to memory, reading (for example, dyslexia), numbers (for example, dyscalculia), or perception-processing limitations will be able to authenticate irrespective of the level of their cognitive abilities.
Examples
The examples of this success criterion are very similar to the Accessible Authentication (Minimum) examples.
- A website uses a properly marked up username (or email) and password fields as the login authentication (meeting Success Criterion 1.3.5 Input Purpose and Success Criterion 4.1.2: Name, Role, Value). The user's browser or integrated third-party password manager extension can identify the purpose of the inputs and automatically fill in the username and password.
- A website does not block paste functionality. The user is able to use a third-party password manager to store credentials, copy them, and paste them directly into a login form.
- A website uses WebAuthn so the user can authenticate with their device instead of username/password. The user's device could use any available modality. Common methods on laptops and phones are facial-scan, fingerprint, and PIN (Personal Identification Number). The website is not enforcing any particular use; it is assumed a user will set up a method that suits them.
- A website offers the ability to login with a third-party provider using the OAuth method.
- A website that requires two-factor authentication allows for multiple options for the 2nd factor, including a USB-based method where the user simply presses a button to enter a time-based token.
- A website that requires two-factor authentication displays a QR code which can be scanned by an app on a user's device to confirm identity.
- A website that requires two-factor authentication sends a notification to a user's device. The user must use their device's authentication mechanism (for example, user-defined PIN, fingerprint, facial recognition) to confirm identity.
Related Resources
Resources are for information purposes only, no endorsement implied.
- Cognitive Accessibility Gap Analysis Topic 1: Authentication and Safety
- Cognitive Accessibility Issue Papers 4. Web Security and Privacy Technologies and Web Security and Privacy Technologies
- Making Content Usable for People with Cognitive and Learning Disabilities 4.7.1 Provide a Login that Does Not Rely on Memory or Other Cognitive Skills
- Security and Privacy Technologies issue paper from the Cognitive Task Force.
- WebAuthN specification.
- Web Authentication API on MDN.
- WebAuthN Demo site.
- OAuth on Wikipedia.
- "Let them paste passwords", from the UK's National Cyber Security Centre (archived)
- NIST SP 800-63 Digital Identity Guidelines (Second Public Draft of Revision 4) / SP 800-63B Authentication & Authenticator Management
Techniques
Each numbered item in this section represents a technique or combination of techniques that the Accessibility Guidelines Working Group deems sufficient for meeting this Success Criterion. A technique may go beyond the minimum requirement of the criterion. There may be other ways of meeting the criterion not covered by these techniques. For information on using other techniques, see Understanding Techniques for WCAG Success Criteria, particularly the "Other Techniques" section.
Sufficient Techniques
- G218: Email link authentication
- H100: Providing properly marked up email and password inputs
- Providing WebAuthn as an alternative to username/password (Potential future technique)
- Providing a third-party login using OAuth (Potential future technique)
- Using two techniques to provide two-factor authentication (Potential future technique)
Failures
The following are common mistakes that are considered failures of this Success Criterion by the Accessibility Guidelines Working Group.
Key Terms
    - assistive technology
- hardware and/or software that acts as a user agent, or along with a mainstream user agent, to provide functionality to meet the requirements of users with disabilities that go beyond those offered by mainstream user agents - Note 1 - Functionality provided by assistive technology includes alternative presentations (e.g., as synthesized speech or magnified content), alternative input methods (e.g., voice), additional navigation or orientation mechanisms, and content transformations (e.g., to make tables more accessible). - Note 2 - Assistive technologies often communicate data and messages with mainstream user agents by using and monitoring APIs. - Note 3 - The distinction between mainstream user agents and assistive technologies is not absolute. Many mainstream user agents provide some features to assist individuals with disabilities. The basic difference is that mainstream user agents target broad and diverse audiences that usually include people with and without disabilities. Assistive technologies target narrowly defined populations of users with specific disabilities. The assistance provided by an assistive technology is more specific and appropriate to the needs of its target users. The mainstream user agent may provide important functionality to assistive technologies like retrieving web content from program objects or parsing markup into identifiable bundles. 
- cognitive function test
- A task that requires the user to remember, manipulate, or transcribe information. Examples include, but are not limited to: - memorization, such as remembering a username, password, set of characters, images, or patterns. The common identifiers name, e-mail, and phone number are not considered cognitive function tests as they are personal to the user and consistent across websites;
- transcription, such as typing in characters;
- use of correct spelling;
- performance of calculations;
- solving of puzzles.
 
- conformance
- satisfying all the requirements of a given standard, guideline or specification 
- mechanism
- process or technique for achieving a result - Note 1 - The mechanism may be explicitly provided in the content, or may be relied upon to be provided by either the platform or by user agents, including assistive technologies. - Note 2 - The mechanism needs to meet all success criteria for the conformance level claimed. 
- process
- series of user actions where each action is required in order to complete an activity 
- relied upon
- the content would not conform if that technology is turned off or is not supported 
- technology
- mechanism for encoding instructions to be rendered, played or executed by user agents - Note 1 - As used in these guidelines "web technology" and the word "technology" (when used alone) both refer to web content technologies. - Note 2 - Web content technologies may include markup languages, data formats, or programming languages that authors may use alone or in combination to create end-user experiences that range from static web pages to synchronized media presentations to dynamic Web applications. 
- user agent
- any software that retrieves and presents web content for users