Logging into certain online services often requires two or multifactor authentication. Many sites or applications no longer consider an email address and password sufficient for security reasons. Just as the UK Gov National Security Centre (August 6th 2021) describe the logic behind three random words as being GCHQ’s preferred method for creating passwords, there remain a long list of what might happen next when we login online.
The problem is that authentication is a process involving the recognition and verification of a user’s identity and it is the verification that adds the complexity to the process. There is usually what the Web Content Accessibility Guidelines (WCAG) describe as a “Cognitive function test”. This means that the task “requires the user to remember, manipulate, or transcribe information.(WCAG 2.2)
People with physical, sensory, cognitive and learning disabilities may need more support and time to complete an authentication task. They may be using assistive technologies, such as screen readers and text to speech apps or keyboard alternatives. Memory and concentration issues as well as distractions can cause problems along with poor instructions or error messaging. There is a new WCAG 2.2 “Success Criterion 3.3.7 Accessible Authentication that will be a Level AA guideline, but alongside the proposed understanding there remain concerns about security issues and accessibility options
“For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.”
Several experts in the accessibility world have discussed these matters in more detail. Dr John Rochford in his ClearHelper blog offers some ‘Challenges & Solutions‘ for those with cognitive impairments and Dr Abi James warned the WCAG Coga task force that ‘Strong Customer Authentication in the UK‘ is now in place with more security tasks for onine payments and thanks to the “Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2” it is possible to see what might be involved:
“Knowledge: Something a person knows
- Password
- PIN
- Knowledge-based challenge questions
- Passphrase
- Memorised swiping path
Possession: Something a person has
- Possession of a device evidenced by one time password (OTP) generated by, or received on a device
- Possession of a device evidenced by a signature generated by a device
- Card or device evidenced by QR code scanned from an external device
- App or browser with possession evidenced by device binding
- Card evidenced by a card reader
- Card with possession evidenced by a dynamic card security code
Inherence: Something about the person e.g. biometrics
- Fingerprint scanning
- Voice recognition
- Hand & face geometry
- Retina & iris scanning
- Keystroke dynamics
- Angle at which device is held”
The challenge is to map the processes that link to the skills of users and allow for personal preferences to be enabled when accessing sites and services. WCAG has begun the task by providing pass and fail examples and this one is an adaptation for a student situation:
- One Time Passcode (OTP)
Pass: Student is sent an OTP passcode to their device which can be pasted into the input field
Failure: Student must generate an OTP passcode on a device in their possession and transcribe it into the payment system which could be on a separate device.
However, any set of criteria that are developed for accessibility will need to be mapped across all the authentication options and will depend on abilities, digital skills, as well the technologies in use including assistive technologies. In the case of the NLive project with the NRemote player for online learning and the presentation of multimedia content (such as video and audio for lecture capture) security, privacy as well as IP need to be considered so we will be mapping the authentication types against the considerations mentioned above!