Removing accessibility barriers to secure authentication

The World Health Organisation (WHO) estimates 15% of the world’s population, or over one billion people, live with some form of disability. For those who are considered more vulnerable, it can make them more susceptible as a target for cybercriminals.

With the increased role that digital access plays in our lives, accessibility has become more important than ever. Memorising a username and password (or transcribing either manually) just isn’t practical or possible in some cases, nor is it a safe way for people to access their accounts.

With cybercrime increasing, secure authentication is extremely important, allowing private and secure access to online apps and services. Therefore, all organisations must ensure that everyone can easily and securely log in to the technology devices and services they regularly need without the risk of being compromised.

Accessibility laws

Legislation prohibits discrimination against people with disabilities (PwD) in many countries, which helps to ensure PwD fully and equally participate in every aspect of society. According to the FIDO (Fast Identity Online) Alliance’s recent white paper — Guidance for Making FIDO Deployments Accessible to Users with Disabilities — 52 of the 193 United Nations member states’ constitutions explicitly guarantee equality or nondiscrimination based on disability.

In Australia, The Disability Discrimination Act 1992 makes it unlawful to discriminate against a person, in many areas of public life, including employment, education, getting or using services, renting or buying a house or unit and accessing public places because of their disability.

The W3C, an international community that develops open standards to ensure the long-term growth of the web, develops standards and support materials to help organisations understand and implement accessibility of digital services. W3C has developed an extensive set of accessibility guidelines to ensure PwD can easily access digital services, but certain security protocols provide secure, accessible authentication.

Unique accessibility aspects of FIDO authentication

Security codes delivered via text message or email can be compromised and they often require an advanced level of skill and knowledge for PwD using assistive technology to transfer the codes to a device.

FIDO simplifies this process and provides accessible authentication, as it supports a wide range of options that can accommodate the vastly diverse types of disabilities. When accessing FIDO Authentication for PwD, the following five disability types are defined as:

1. Visual: blindness, low vision, visual field loss, colour blindness and/or iris loss.
2. Hearing: profound deafness, hearing muffled sounds, hearing with one ear and/or other sounds interfering with hearing.
3. Physical: limb loss, digit loss, limited strength or weakness, limited reach, tremors or palsy, loss of fingerprints and/or loss of facial features.
4. Speech: loss of speech, trouble speaking loudly enough and/or difficulty being understood.
5. Cognitive and learning: difficulty reading (dyslexia), difficulty writing, memory loss, low literacy, low digital literacy and/or difficulty reasoning.
    

FIDO allows online services to offer passwordless and multi-factor security. The user registers their device to the online service by selecting a physical authentication mechanism, such as using a security key or passkey, swiping a finger, looking at the camera, speaking into the mic or entering a PIN.

Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device.

Deploying accessible authentication such as security keys

According to the FIDO Alliance’s report, people with visual impairments, hearing issues and speech problems, as well as those with cognitive and learning difficulties, will have less likelihood to encounter barriers to secure FIDO authentication when using a security key, such as a YubiKey.

The FIDO Alliance white paper identified significant difficulties with alternative authentication methods such as drawing a pattern on a smartphone, typing a pin and facial or speech recognition, as well as those with time limits to enrol, register or authenticate, which PwD had multiple challenges with doing in the timeframe specified.

However, a security key does not work for all PwD, the report states that in some cases, people with physical disabilities may not be able to insert a security key into a USB port and those who are visually impaired may not be able to tap a security key on a smartphone.

The recommendation

Organisations providing digital services and apps need to consider how they make their websites and other web resources accessible to PwD. One in five Australians has a disability and the proportion is growing.

The full and independent participation by PwD in online services and apps and web-based communication not only makes good business sense but is also consistent with our society’s obligations to remove discrimination and promote human rights.

It is, therefore, crucial when planning any new authentication deployments that organisations ensure that the authentication methods they employ are accessible to users with a wide range of disabilities. And FIDO enables accessible authentication and supports a wide range of options that can accommodate many different types of disabilities.

Image credit: iStock.com/alexsl