COGA (accessibility for people with cognitive disabilities) Issue Paper: Web Security Technologies

Description of the Technology

Most user interfaces are designed to help users complete tasks. However, web security technologies intentionally introduce barriers to task completion. They require users to perceive more and to do more to complete tasks. Two examples of such web security technologies are CAPTCHA and Two-Factor Authentication.

CAPTCHA is a website widget that prevents automated programs from submitting a web form intended for humans by requiring humans to pass a test. Such tests:

• present distorted text visually and/or aurally;
• require users to enter that text into a field; and
• require users to invoke a submit button.

Two-step authentication requires a two-stage process to verifiy the identity of a user. The user is required to have two out of three of the following factors:

• knowledge, e.g., password or PIN;
• possession, e.g., mobile device or credit card;
• inherence, e.g., fingerprint or voice print (via biometric device).

Challenges for People with Cognitive Disabilities

Web security technologies often block people with cognitive and/or physical disabilities who may not be able to:

• discern text they are required to enter and submit;
• recall text or instructions they have seen or heard;
• follow multi-step procedures.

The scope of the problem is vast because, for example, people with disabilities are prevented from purchasing goods and registering for services on the millions of websites that employ web security technologies.

Effect of memory impairments

Many people with cognitive disabilities:

• may have to look at or listen to text several times to copy or type it into a form field;
• may not recall steps needed to complete a procedure if an authentication session expires.

Some people with cognitive disabilities:

• may not be able to recall required text, such as a password or a PIN, or remember how to retrieve it;
• may not become accustomed to a web security technology because there are multiple versions of it.

Effect of impaired executive function

Many people with cognitive disabilities may not:

• complete a multi-step procedure for submitting text, such as a password;
• complete a timed procedure due to slowness in completing all steps;
• complete a procedure even if provided multiple opportunities to do so;
• enter characters in the correct order.

Some people with cognitive disabilities:

• may not be able to retrieve required text, such as a password or a PIN;
• be able to determine the purpose of a web security technology sufficiently or at all.

Effect of attention-related limitations

People with cognitive disabilities may not focus due to:

• frustration with time-limited procedures or presentations of digital security tokens;
• irrelevant instructions, such as CAPTCHA's "stop spam" and "read books";
• presentation of multiple options, such as CAPTCHA's "Refresh", "Listen", and "Help".

Effect of impaired language-related functions

Some people with cognitive disabilities:

• may have comprehension problems exacerbated by text or instructions presented in a non-native language.

Effect of impaired literacy-related functions

Some people with cognitive disabilities:

• may not comprehend the meaning of words or instructions.

Effect of perception-processing limitations

Many people with cognitive disabilities may not:

• read text at all because of the intentional distortion of it, a technique used by CAPTCHA;
• comprehend text that can't be enlarged without additional distortion;
• understand text spoken in a computerized and distorted voice;
• recognize characters if they do not form words, or are shown in different fonts/styles.

Some people with cognitive disabilities:

• understand the purpose of buttons such as CAPTCHA's "reset", "listen", and "help";
• recognize functional elements, such as CAPTCHA's buttons, are clickable;

Effect of reduced knowledge

Some people with cognitive disabilities:

• may not recognize images, such as symbols or icons, common among web security technologies;
• may not comprehend the meaning of rich media designed to be instructive.

Proposed Solutions

W3C Recommended Guidelines

• Provide text alternatives that identify and describe the purpose of the non-text content.
  • See WCAG 2.0 Guideline 1.1.
• Turn off or adjust time limits, including allowing continuation of activity without reauthentication.
  • See WCAG 2.0, Guideline 2.2.
• Help users avoid and correct mistakes.
  • See WCAG 2.0, Guideline 3.3.

Ease-of-Use Ideas

• Allow alternative authentication factors, such as:
  • location (e.g., user's home or place of employment);
  • presence of a trusted family member or friend, who is detected, for examples, by a wearable biometric device or by a mobile device.
• Develop and use common sets of vocabulary and iconography across web security technologies.

Alternative Web Security Technologies

• Security tokens, some of which are hardware devices, can be used to make authentication easier. Security tokens are used instead of, or in addition to, other forms of authentication such as passwords. Security-token hardware devices:
  • include key fobs, rings, or small keypads;
  • can store and/or generate a digital signature, a PIN, or biometric data;
  • can transmit such data via a USB connector, RFID, Bluetooth wireless, or NFC.
• Keygen, an element of HTML5, can be used to simplify re-authentication. After a user has completed authentication using keygen, the user will be automatically authenticated for subsequent uses of a web site or service. Thus, there will be no need for a user to re-enter authentication information.
  • Keygen establishes a private-key and a public-key pair.
  • The keygen tag designates a key-pair field in an authentication form.
  • Upon form submission:
    • a private key is encrypted and saved locally; and
    • a public key is signed with the private key, and is sent to the server.
  • In subsequent authentication sessions, the server will either automatically retrieve the private key, or prompt the user to select it.
  • See W3C HTML5 Recommendation 4.10.12 The keygen element.
• Spam-free accessible forms, WebAIM, Utah State University, March, 2007.

CAPTCHA Alternatives

• CAPTCHA-less Security, Karl Groves, April, 2012.
• Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web, World Wide Web Consortium, November, 2005.
• A honeypot that is:
  • an input field
  • hidden using CSS
  • labeled with a field name atypical of forms
  • clearly identified with instructions, for AT users, and for others whom have disabled CSS, not to fill it in
  • checked to determine if something was entered
  • used to reject a submission if something was entered

Note: The honeypot-field solution will not work for popular websites because spammers will likely expend the effort to defeat it.