2.2.1 Timing Adjustable
- Level A
- Operable
- Since WCAG 2.0
Summary
Time limits punish anyone who needs longer than the designer assumed: screen reader users navigating a form field by field, people with motor impairments who type slowly, people with cognitive or reading disabilities, and anyone interrupted mid-task. When a session expires, a checkout hold lapses, or a message vanishes before it can be read, the product has quietly decided how fast its users are allowed to be. This criterion (Level A, unchanged since WCAG 2.0) says the content may not make that decision unilaterally: every time limit the content sets must be one the user can turn off, adjust to at least ten times the default, or extend, unless a narrow exception applies.
The auditor's mental model is a two-step filter. First, inventory every time limit the content itself sets: session timeouts (including server-side expiry, which the content sets even though the browser never shows a timer), checkout and booking countdowns, timed redirects, quizzes, one-time codes, and messages or controls that disappear on a timer. Second, run each limit through the six options in order: turn off, adjust, extend, real-time, essential, over 20 hours. One satisfied option is a pass. The extend option is by far the most common compliant pattern in practice: a warning before expiry, at least 20 seconds to respond, a simple action such as pressing one button, repeatable at least ten times. Grade the exceptions sceptically; "essential" means extending would invalidate the activity itself, not that the business would prefer urgency.
Official wording
For each time limit that is set by the content, at least one of the following is true:
Turn off:
The user is allowed to turn off the time limit before encountering it; or
Adjust:
The user is allowed to adjust the time limit before encountering it over a wide range that is at least ten times the length of the default setting; or
Extend:
The user is warned before time expires and given at least 20 seconds to extend the time limit with a simple action (for example, "press the space bar"), and the user is allowed to extend the time limit at least ten times; or
Real-time Exception:
The time limit is a required part of a real-time event (for example, an auction), and no alternative to the time limit is possible; or
Essential Exception:
The time limit is essential and extending it would invalidate the activity; or
20 Hour Exception:
The time limit is longer than 20 hours.
EN 301 549 mapping
- Web pages
- Clause 9.2.2.1
- Software and native apps
- Clause 11.2.2.1 (via Table 11.4)
Clause 9.2.2.1 applies this criterion to web pages unchanged. For software, clause 11.2.2.1 carries the requirement through a word-substitution table (Table 11.4) that restates it for application user interfaces.
Clause references are to EN 301 549 V3.2.1 (2021-03), the harmonised European standard. Descriptions are our own summary, not the text of the standard.
In practice
Web
Start by finding the limits, because the hardest part of testing this criterion is knowing a timer exists at all. Log in and leave the page idle with the network panel of the browser developer tools open: watch for polling that stops, forced redirects to a login page, or a warning dialog. Check the page source for meta http-equiv="refresh" redirects, which are a content-set time limit. Then walk any flow with a visible countdown: checkout holds, seat reservations, quiz timers, limited-time offers.
For each limit, trigger it and observe. For a session timeout, the compliant pattern you are looking for is a warning dialog that appears before expiry, offers a simple extension action ("Stay signed in"), gives you at least 20 seconds to use it, and works at least ten times: idle repeatedly and re-extend to confirm the extension is not capped early. Time the warning window with a stopwatch; a dialog that self-dismisses in 10 seconds fails even though a warning exists. Also confirm the extension really is a simple action: a single activation passes, but a dialog that demands you re-enter your password inside the warning window does not meet the "simple action" bar. Alternatively, look for a turn off or adjust control offered before the limit is encountered (an account setting for session length, for example); an adjust option must reach at least ten times the default.
Two limits deserve honest handling rather than reflex fails. One-time passcodes with short lifetimes are usually a legitimate essential exception: the short validity is the security property, and extending it would invalidate the mechanism. Grade the expiry itself as essential, but check the recovery path: a new code should be requestable with a simple action, and whether your other form entries survive the round trip is a separate question (see the confusions section). Booking holds qualify for the real-time exception only when inventory is genuinely contested, as with event seats released back to other live buyers; a countdown that exists purely to create urgency, where nothing is actually being held against other users, is not a real-time event and needs a turn off, adjust, or extend route.
Auto-advancing carousels are mostly a moving-content question graded elsewhere, but they cross into this criterion when the rotation is effectively a time limit on a task: content or a control the user needs disappears on a timer before it can be read or activated, with no way to bring it back. The same logic catches toast-style status messages that carry an action and vanish after a few seconds.
iOS
Native apps are fully in scope: for software, the European standard carries this requirement through a word-substitution table that restates it for application user interfaces, so app-set time limits are graded exactly as web ones.
Testing is behavioural and needs little tooling beyond a stopwatch and patience. Sign in to the app and idle it in the foreground; banking and finance apps are the richest hunting ground, since almost all of them enforce inactivity timeouts. Watch for the compliant pattern: an alert before expiry with an extend action, at least 20 seconds of warning window, repeatable at least ten times. Then run the same idle test with VoiceOver on: the warning must actually be exposed when it appears (announced, and reachable as the focused alert), because a warning a screen reader user never hears gives them zero of their 20 seconds. Also idle the app, background it, and return: distinguish the app's own session expiry (content-set, in scope) from an OS-level device lock or a platform biometric prompt (platform behaviour, not a content-set limit).
Common iOS failure spots: hard logouts with no prior warning that dump the user onto the sign-in screen; warning alerts that self-dismiss too quickly; timed onboarding or promotional sheets that disappear on their own; and in-app countdown flows (order holds, code entry) with no extension path and no genuine essential or real-time justification.
Android
The same word-substitution reading of the European standard applies, so Android app time limits are in scope on the same terms as iOS.
Test by idling: foreground the signed-in app and wait out the inactivity window, timing the warning-to-expiry gap with a stopwatch. Repeat with TalkBack running and confirm the timeout warning is announced and its extend control is reachable and activates with a simple action. Idle-and-return testing matters here too: process death and restore behaviour varies, so note whether the app warned before ending the session or silently expired it while backgrounded (a limit the user could never see coming is a limit they were not warned about). Snackbars and toasts are a specific Android trap: a purely informative toast is harmless, but a snackbar carrying an action ("Undo") that disappears after a few seconds is a content-set time limit on that action with no extension.
Common Android failure spots: silent session expiry discovered only on the next tap; OTP entry screens that block a resend for longer than the code lives; auto-dismissing dialogs; and checkout or top-up flows with countdowns that cannot be extended and do not reflect genuinely contested inventory.
Pass and fail examples
Passes:
- A banking session that shows a modal two minutes before expiry with a "Stay signed in" button, gives well over 20 seconds to respond, and can be extended indefinitely.
- An account setting, available before any timeout is encountered, that lets the user lengthen the default 15 minute session to at least 150 minutes or disable the timeout entirely: the adjust and turn off options.
- A ticket checkout that holds contested seats for 10 minutes and releases them to other live buyers on expiry: real-time exception, because the limit is a required part of a genuinely live allocation.
- An SMS one-time code valid for 5 minutes, with a one-tap "resend code" available: essential exception, since a long-lived code would defeat the security purpose.
- A saved application form whose session lasts 24 hours: the 20 hour exception.
Fails:
- A session that expires with no warning at all, discarding the user to the login screen mid-task.
- A timeout warning that gives 10 seconds before logging the user out: a warning exists, but the 20 second floor is not met.
- A warning dialog whose only extension route is re-entering the account password within the warning window: not a simple action.
- An extension mechanism capped at two uses before forcing logout: the extend option requires at least ten extensions.
- A "your basket is reserved for 10 minutes" countdown that voids the checkout, where nothing is held against other buyers and no extend, adjust, or turn off option exists: urgency theatre, not a real-time event.
- A snackbar with an "Undo" action that disappears after four seconds with no way to recover the action.
- A timed quiz with no adjust or extend option where speed is not part of what is being assessed, so the essential exception does not hold.
Not a fail under this criterion:
- An auto-advancing carousel whose slides all remain reachable through visible controls: grade the motion under SC 2.2.2 Pause, Stop, Hide; it lands here only if timed disappearance stops the user completing a task.
- The device lock screen engaging, or a browser's own behaviour, during idle testing: platform and user agent limits are not set by the content.
- Entered form data being wiped after the user re-authenticates within the same process: that is a data persistence finding under SC 3.3.7 Redundant Entry, provided the timeout itself was properly warned and extendable.
- A short-lived one-time code with a simple resend path: essential exception, however brief the lifetime feels.
Commonly confused with
- SC 2.2.2 Pause, Stop, Hide. The standard split for carousels and other moving content: motion, blinking, and auto-updating are graded there. File under 2.2.1 only when content disappearing on a timer prevents a task from being completed, such as an actionable message that vanishes before it can be activated. One behaviour can earn both findings, but they need separate evidence.
- SC 3.3.7 Redundant Entry. 2.2.1 governs the timeout itself; 3.3.7 governs whether previously entered data survives re-authentication within the same process. A compliant, extendable timeout can still produce a 3.3.7 fail if the restored session comes back with fields emptied. Remember the house position: platform autofill rescuing the user does not satisfy 3.3.7.
- SC 2.2.3 No Timing. The Level AAA sibling removes timing entirely except for real-time events and essential limits. An auditor demanding that a properly extendable timeout be abolished is applying 2.2.3 to a Level A or AA audit.
- SC 2.2.6 Timeouts. Also Level AAA: it requires warning users that inactivity will cause data loss. Do not import its data-loss framing into 2.2.1, which asks only whether the limit can be turned off, adjusted, or extended.
- SC 2.2.4 Interruptions. Covers postponing or suppressing interruptions such as pop-ups and auto-updates. An interruption that arrives at a bad moment is a 2.2.4 (AAA) concern; an interruption that gives you no time to respond before acting is a 2.2.1 concern.
How AUDITSU tests this
AUDITSU's audit walkthrough covers timing on every screen and flow you review. Where a screen belongs to a signed-in session or contains a countdown, the walkthrough prompts you to identify the time limit, idle through it, and grade what happens: was there a warning, how long did the warning window last, was the extension a single simple action, and how many times could it be repeated. Where you claim an exception, the walkthrough asks you to record why it holds (what is genuinely live, or why extending would invalidate the activity), so the justification travels with the finding. For session warnings, the walkthrough has you repeat the idle test with the screen reader running, because a warning that is never announced fails the people the criterion most protects.
Each check records a pass, fail, or not applicable result per screen with evidence attached, typically a capture of the warning dialog and the timing you observed, so the report ties every timing finding to the exact flow that produced it. For the full guided workflow, see the audit platform.