Skip to content

Understanding SC 3.3.9:Accessible Authentication (Enhanced) (Level AAA)

Status

This understanding document is part of the draft WCAG 2.2 content. It may change or be removed before the final WCAG 2.2 is published.

Intent

The purpose of this Success Criterion is to ensure there is an accessible, easy-to-use, and secure method to log in, access content, and undertake tasks. This criterion is the same as Accessible Authentication but without the exceptions for objects and user-provided content.

The scenarios where the two exceptions might apply are authentication mechanisms which:

  • display a selection of images, and the user must choose which image they provided;
  • display a selection of items as text, and the user must choose which they had provided;
  • display a selection of images, and the user must choose the images which contain an object such as a car.

Benefits

The benefits of this success criterion are the same as Accessible Authentication.

People with cognitive issues relating to memory, reading (for example, dyslexia), numbers (for example, dyscalculia), or perception-processing limitations will be able to authenticate irrespective of the level of their cognitive abilities.

Examples

The examples of this success criterion are very similar to the Accessible Authentication.

  • A web site uses a properly marked up username (or email) and password fields as the login authentication (meeting Success Criterion 1.3.5 Input Purpose and Success Criterion 4.1.2: Name, Role, Value). The user's browser or integrated third-party password manager extension can identify the purpose of the inputs and automatically fill in the username and password.
  • A web site does not block paste functionality. The user is able to use a third-party password manager to store credentials, copy them, and paste them directly into a login form.
  • A web site uses WebAuthn so the user can authenticate with their device instead of username/password. The user's device could use any available modality. Common methods on laptops and phones are facial-scan, fingerprint, and PIN (Personal Identification Number). The web site is not enforcing any particular use, it is assumed a user will setup a method that suits them.
  • A web site offers the ability to login with a third-party provider using the OAuth method.
  • A web site that requires two-factor authentication allows for multiple options for the 2nd factor, including a USB-based method where the user simply presses a button to enter a time-based token.
  • A web site that requires two-factor authentication displays a QR code which can be scanned by an app on a user's device to confirm identity.
  • A web site that requires two-factor authentication sends a notification to a user's device. The user must use their device's authentication mechanism (for example, user-defined PIN, fingerprint, facial recognition) to confirm identity.

Related Resources

Resources are for information purposes only, no endorsement implied.

Techniques

Each numbered item in this section represents a technique or combination of techniques that the WCAG Working Group deems sufficient for meeting this Success Criterion. However, it is not necessary to use these particular techniques. For information on using other techniques, see Understanding Techniques for WCAG Success Criteria, particularly the "Other Techniques" section.

Sufficient Techniques

  1. G218: Email link authentication
  2. Providing a properly marked up email and password inputs (Potential future technique)
  3. Providing WebAuthn as an alternative to username/password (Potential future technique)
  4. Providing a 3rd party login using oAuth (Potential future technique)
  5. Using two techniques to provide 2 factor authentication (Potential future technique)

Key Terms

cognitive function test

A task that requires the user to remember, manipulate, or transcribe information. Examples include, but are not limited to:

  • memorization, such as remembering a username, password, set of characters, images, or patterns. The common identifiers name, e-mail, and phone number are not considered cognitive function tests as they are personal to the user and consistent across websites;
  • transcription, such as typing in characters;
  • use of correct spelling;
  • performance of calculations;
  • solving of puzzles.
Back to Top