Is Your Authentication Process Truly Accessible for Everyone?

Suppose  you're doing an important financial transaction, and at the very last step, you're asked to prove you're human by solving a CAPTCHA. But no matter how hard you try, you can't get past it. Frustrating, right? You’d feel stuck and helpless.

Now, think about how this might feel for people with disabilities. Many authentication methods can create similar barriers for them, leading to the same feelings of frustration.

Of course, security is important—we all want authentication to be as secure as possible. But here’s the thing: it can be secure and accessible at the same time, without compromising either.

 

How can we ensure that authentication process is accessible?

Make sure that no step in the authentication process requires mental effort. Users should not be forced to solve puzzles, recall information, or transcribe anything. This is particularly important for people with cognitive disabilities, as they may struggle with tasks like remembering usernames and passwords or retyping one-time passcodes.

According to WCAG 2.2 SC 3.3.8 Accessible Authentication (Minimum):

A cognitive function test (like remembering a password or solving a puzzle) should not be required during any part of an authentication process unless one of the following is true:

  1. Alternative: There is another authentication method available that doesn’t require a cognitive test.
  2. Assistance: A tool or support is available to help the user complete the cognitive test.
  3. Object Recognition: The test involves recognizing objects like images, audio or video.
  4. Personal Content: The test requires identifying content the user has uploaded (like photos, videos, or audio).

 

What does a cognitive function test mean?

A cognitive function test is any task that relies on memory or problem-solving skills to complete. For example, remembering a password with random characters or performing a pattern gesture on a touchscreen are both cognitive function tests. These tests can create barriers for people with cognitive disabilities, as they may find them difficult or even impossible to complete. To ensure accessibility, when such a test is required, there must be an alternative authentication method that does not depend on memory or complex thinking. If there is more than one step in the authentication process, such as with multi-factor authentication, all steps should not rely only on cognitive function tests.

 

Challenges and their Solutions

Based on the above mentioned WCAG SC, let us discuss some common accessibility challenges in the authentication process and their potential solutions.

 

Challenge 1: Difficulty in remembering user name and password

Websites often use usernames and passwords for logging in, as it is the most common way to verify users. However, remembering both a username and password can be very difficult or even impossible for people with certain cognitive disabilities. At times, websites block pasting or require a specific format (like "Enter the 3rd, 4th, and 6th characters of your password"), it forces users to transcribe the information manually, which might not be possible for them to do.

 

Solutions

Copy & Paste

Copying and pasting can make it easier for users to avoid transcription errors. For instance, users can copy their login details from a stand alone third party password manager and paste them directly into the username and password fields.

 

Enable User Name & Password to Autofill
Authors should design login forms to support browsers and password managers in automatically filling username and password fields. This can be achieved by using clear, accessible labels and the correct autocomplete attributes (e.g., autocomplete="username" and autocomplete="current-password"). These practices help browsers and password managers recognize and populate the fields accurately.

 

"A retiree navigating the digital world with mild cognitive challenges. Logging into websites can be frustrating when I have to remember usernames and passwords or type specific characters. I rely on my password manager, and features like copy-paste and autofill  make the process much smoother and less stressful!"

 

Challenge 2: Difficulty in Typing and Remembering Hidden Characters

Hiding characters when typing a password can increase cognitive load, especially for people with cognitive disabilities or those who struggle with accurately typing. While this is a common security feature, it can make it harder for some users to confirm whether they are typing correct password or not.

 

Solutions

An Option to Show the Password

To address this, an option to show the password should be provided. Allowing users to view the characters as they type can improve accuracy and reduce cognitive load, especially for people with typing and cognitive difficulties.

 

"A customer service representative with dyslexia, I struggle with typing passwords when the characters are hidden. I don’t know what I’m typing, and it’s so frustrating! Oh wait, I can reveal the password to make sure I’ve got it right. That small option would save me a lot of stress when logging in!"

 

Challenge 3: Difficulty in Solving the CAPTCHA

CAPTCHAs are commonly used to distinguish humans from bots, but they often create barriers for people with disabilities, especially those with visual or cognitive impairments. CAPTCHAs, like distorted text or complex puzzles, can be particularly challenging.

 

Solutions

Provide Audio CAPTCHA Without Transcription

Offer an audio CAPTCHA that does not require users to transcribe spoken content. For instance, users could be asked to press a specific key or select an option based on what they hear, rather than typing out numbers or words. This makes the process more accessible for people with disabilities, reducing the cognitive and physical effort involved.

 

Checkbox Like “I Am Not a Robot”

Use a simple checkbox CAPTCHA that lets users confirm they are human by ticking a box. This approach relies on background signals to verify authenticity, making it quick and easy for most users without requiring additional tasks.

 

Object-Based Recognition

Object-based CAPTCHAs ask users to select specific images, such as identifying traffic lights or animals. While this method is simpler than other types of challenges, it should strictly focus on recognition tasks. For instance, it should not include complex instructions, such as calculating the product of the number of dogs and cats in the images, as this adds unnecessary cognitive burden. This approach is not accepted at the AAA level of WCAG 2.2 because it can still create challenges for some people with cognitive disabilities. Additionally, as someone with visual impairment, I find it nearly impossible to identify objects in images because I cannot see them. Honestly, I am uncertain about how feasible or secure it would be to provide alternative text for such images. While alt text could potentially improve accessibility, it might also compromise the security of the CAPTCHA. In my opinion, it’s better to explore other accessible alternatives or to provide multiple CAPTCHA options.

 

"As someone with dyslexia, checking my bank transactions online can be a real challenge because of CAPTCHAs. The distorted text and complicated puzzles are hard to read and understand. But if there were an audio CAPTCHA where I could simply press a key or select an option based on what I hear, it would make logging in so much easier and less frustrating!"

 

 Challenge 4: Difficult to Manually Transcribe and Enter Verification Code

Two-factor authentication often requires users to enter a verification code, also known as a one-time password (OTP). However, if this process requires users to manually transcribe the code, it can be problematic for people with cognitive disabilities, as it may be difficult for them to complete the task.

 

Solutions

Allow users to copy and paste the OTP

One simple solution is to allow users to copy the OTP from the source (e.g., SMS or email) and paste it directly into the verification field. This reduces errors and simplifies the process, making it more accessible for all users. If the OTP is send on another secondary device then, users can send it on a primary device through email or some other method. Then they should allowed to paste in the verification field.

 

Enable OTP autofill and smart features

Modern devices and browsers often support OTP autofill, automatically detecting and filling the code sent via SMS or email. This removes the need for users to manually switch between apps or screens, easing the process for all of us.

 

Alternative Which Does Not Require Cognitive Function Tests

There are several other alternatives which does not depend on the cognitive function test. Few of them are mentioned below.

  • Hardware Authentication Devices: Devices like YubiKey or Google Titan Security Key provide a physical token for authentication. Users simply insert the key into a USB port or tap it on a compatible device to verify their identity. This straightforward method eliminates the need for remembering or entering codes.
  • Biometric Authentication: Biometric methods such as Touch ID, Face ID, or Windows Hello rely on unique physical characteristics like fingerprints, facial features, or iris patterns. These methods provide seamless and intuitive authentication with a single gesture, requiring no cognitive effort.
  • Device-Based Verification: This method often uses authentication apps, such as Duo or Google Authenticator, to approve login attempts via a push notification. Additionally, some apps allow users to scan a QR code displayed on the login screen, which links the login session to the app for secure verification. These methods reduce manual input and provide a low-cognitive-load alternative.
  • Operating System-Integrated Authentication: Modern operating systems like Windows, macOS, and iOS offer built-in authentication methods such as biometrics or secure device pairing. These systems seamlessly integrate into the user's workflow, enabling secure logins without requiring additional effort.

 

Things to be Noted

I personally believe that while alternatives like USB-based authentication, fingerprint scanning, or QR code scanning are excellent options to replace cognitive function tests, they should not be used as the only methods of authentication. People with motor disabilities or other physical challenges may find these methods difficult or impossible to use.

For example:

  • Someone with a device mounted in a fixed position may not be able to scan a QR code.
  • People with hand tremors or those unable to use their hands may struggle with fingerprint scanning or inserting a physical key.

These methods can serve as alternatives to cognitive tests, but it is important to also offer other options, such as facial recognition, or secure PIN/password systems accessible with assistive technologies like voice commands or pointer devices.

 

"As a retiree with cognitive difficulty, two-factor authentication feels like a hurdle I can't easily clear. Manually typing in verification codes is frustrating and confusing. But when I sign in to Gmail on my desktop and just tap 'Yes' or 'No' on my phone, it’s simple and stress-free. I wish more services made logging in as easy as that!"

 

Challenge 5: Difficulty in Remembering Personal Text-Based Answers

Text-based personal questions rely on recall (rather then recognition), and transcription (rather than selecting), making it difficult for users with memory or cognitive challenges.

 

Solutions

Picture Based Authentication

A better approach is to use picture-based authentication. Users upload a personal picture during account setup, and during login, they select their picture from a set of options. Care must be taken to provide adequate security in this case, since non-legitimate users might be able to guess the correct personal content when presented with a choice. Picture-based personal content will still be a barrier for some people, text based versions tend to be a much larger barrier.

 

"As someone with memory challenges, I always struggle to remember the answers to those text-based security questions when trying to recover my accounts. It’s frustrating! If I could upload a picture—something only I would recognize—it would make recovering my accounts so much easier and less stressful!"

 

In conclusion, I would like to highlight the importance of offering a range of alternative authentication methods to accommodate the diverse needs of users. Allowing people to choose the method that best suits their needs not only improves accessibility but also enhances security. While I have mentioned a few solutions here, there are certainly other approaches that could address the challenges discussed. Accessibility is more than just ticking checkboxes; it’s about going further to ensure an inclusive experience for everyone. I hope I have effectively conveyed my points, and I welcome any thoughts or feedback on this topic. Thank you for reading until the end.

 

 

  

Comments

Post a Comment

Popular posts from this blog

Achieving Accessibility (A11Y): 11 Key Points for Creating Accessible Websites and Software

  Imagine if someone handed you a blank piece of paper to read. How would it feel? An inaccessible website or software is just like that blank paper, perhaps with text that isn't printed properly. It’s frustrating and exclusionary. In my previous articles, I've discussed how making digital products accessible is neither difficult nor expensive. Today, I want to discuss 11 simple tips that can make your website and software accessible to everyone. This is particularly important for developers, startups and entrepreneurs in their early stages, as accessibility should be integrated into planning and development processes right from the start. Think of it like adding ramps to a building—it's much easier to include them in the initial layout. Page Title Page <title> is the first thing that screen reader users listen to while navigating the page. Blind users cannot glance quickly at a web page to see what is it about, so they rely on the page title to get that inf...
Read more

Accessibility benefits everybody, not only disabled. So, lets create an inclusive world.

          Accessibility is going to benefit each one of us. It is not only benefit people with disability. Let us first understand that what does the word “Accessibility” means? In simple words, accessibility means able to access. According to W3C,  accessibility  “means that websites, tools, and technologies are designed and developed so that people with disabilities can use them. More specifically, people can: perceive, understand, navigate, interact with the Web and contribute to the Web.”. However, accessibility helps all of us. For example, captions are necessary for the people who are hearing impaired, the same can also benefit for the people who are watching the video in a noisy environment. Similarly, alternative text for the images are important for the people who are visually impaired, but at the same time it will help to the people who are viewing the image with low internet connection. The biggest problem is people don’t consider acces...
Read more

Why Accessibility of Digital Learning Materials are essential?

Imagine a student named Noah, known for his brilliance in class. Despite his intelligence, he struggles to grasp the concepts of equations taught by his teacher. The reason? Noah is blind, and he cannot see the blackboard or read the textbooks like his peers. This leaves him feeling isolated and excluded in a classroom where knowledge is meant to be shared equally. So, what’s the solution? One option could be providing braille books, enabling him to read and follow along as the teacher explains. However, braille books are costly, and Noah, who may have lost his sight later in life, might not even be familiar with braille. Another, seemingly perfect solution, is equipping him with a laptop and digital textbooks that he can access using screen readers. But what happens if the digital content isn’t accessible with these screen readers? Now, consider another scenario. Sophia and her friends are excited to take a crash course on generative AI. But Sophia, who is hearing impaired, finds ...
Read more