Your web browser is out of date. Update your browser for more security, speed and the best experience on this site.

Update your browser
CapTech Home Page

Articles March 8, 2024

​Accessibility Considerations for Authentication Experiences

Matt Leahy Gabriela Olivera
Authors
Matt Leahy, Gabriela Olivera

​In the post-pandemic world, our growing digital presence has been accompanied by a rise in security breaches and data record compromises, making strong authentication experiences crucial. As technology continues to advance, safeguarding our digital identity, personal information, financial data, social data, and online presence from intrusive surveillance, malicious software, and other unauthorized access methods has become a top priority.

​At the same time, businesses have become more attuned to the importance of accessibility in their products and digital experiences.

​Digital accessibility ensures universal access to websites and applications for all users across the diverse spectrum of physical, sensory, and cognitive abilities. Failure to adequately address accessibility can put businesses at financial, legal, and reputational risk, as 26% of the potential customers in the U.S. have a disability of some kind (CDC, 2023). If the possible lost revenue isn’t compelling enough, Forbes estimates that there will be 4,220 ADA website lawsuits filed by the end of 2023, increasing the potential for legal repercussions.

​Unfortunately, accessibility and common authentication methods often don’t align. Authentication typically involves the intentional creation of barriers and a certain type of response or input from the user, while accessibility is about removing barriers and providing as much flexibility for users as possible. This article examines what sorts of issues users may encounter, how different authentication methods stack up, and how newer authentication patterns like biometrics and passkeys can help.

​What Is Required for Legal Compliance?

​Digital accessibility is generally measured against the Web Content Accessibility Guidelines (WCAG) published by the W3C. WCAG has three levels of conformance: (A, AA, and AAA). Accessibility legislation typically requires AA conformance, so that is the level targeted by most businesses. Although WCAG doesn’t address every accessibility concern, it does provide two specific AA requirements related to security and authentication that are worth considering.

WCAG Success Criterion 3.3.8 Accessible Authentication (Minimum)

​This level AA criterion states that a cognitive function test (such as remembering a password or solving a puzzle) should not be required for any step in an authentication process unless that step provides at least one of the following:

  • Alternative: Another authentication method that does not rely on a cognitive function test.
  • ​Mechanism: A mechanism available to assist the user in completing the cognitive function test.
  • ​Object Recognition: A cognitive function test asking the user to visually recognize objects. 
  • ​Personal Content: A cognitive function test asking the user to identify non-text content the user provided to the website.

SC 3.3.9 Accessible Authentication (Enhanced), a more stringent AAA criterion, takes this a step further and removes the Object Recognition and Personal Content exceptions. 

WCAG Success Criterion 2.2.1 Timing Adjustable

This level A criterion deals with time limits imposed by a website or app. For any time limits that are not absolutely essential, the user must be able to turn off, adjust, or extend the time limit, or the time limit must be longer than 20 hours. The related AAA criterion 2.2.3 No Timing forbids any time limits imposed on users.

    ​General Accessibility Considerations

    ​Let’s examine the unique accessibility benefits and challenges of specific authentication methods. First, we should acknowledge the following considerations that will impact most, if not all, authentication schemes.

    Neurodivergent Users

    The term "neurodivergent” encompasses people with differences in learning, mood, attention, social skills, literacy, and numeracy. Conditions such as Attention Deficit Hyperactivity Disorder (ADHD), Dyslexia, Dyscalculia, Tourette's Syndrome, Dyspraxia, Autism, and Asperger's Syndrome are among the examples of neurodivergent conditions. It’s estimated that at least 15% of the population is neurodivergent (Reciteme, 2023).

    Access to a Mobile Device

    ​Many methods of authentication, particularly in multifactor authentication, require the user to own and have immediate access to a mobile device. For a variety of reasons, disabled users may be less likely to own a phone or be able to access it quickly when required.

    ​Holistic Accessibility Matters

    ​Simply put, the accessibility of any authentication experience is dependent on all of the tools, content, and functionality involved meeting accessibility standards and supporting use of assistive technology. Ultimately, it doesn’t matter what method you choose to authenticate your users if your login screen or authenticator app still present accessibility barriers.

    Many authentication methods require “context switching,” such as jumping between devices or moving back and forth between the website and an email inbox. Context switching and the potential for distraction and loss of focus is inherently challenging for many neurodivergent users.

    ​In addition, the types of tests often involved in authentication flows, such as transcribing a temporary PIN or solving a CAPTCHA, may present greater difficulties for users with conditions that impact reading, writing, and cognitive functioning.

    ​Common Authentication Methods

    ​There are a wide range of authentication methods in use today, and some present more accessibility challenges than others. We’ll break down seven common patterns in this section, starting with some of the more traditional and commonplace methods, and working towards more modern authentication features that can help streamline barriers for many users.

    A person typing their log in information on a computer

    ​The most traditional and common authentication method is entering a custom password previously selected by the user.

    • Passwords can be difficult to remember, particularly for users with learning or cognitive disabilities.
    • Additionally, as password requirements become more involved and passwords grow longer and more complex, accurately entering a password can prove challenging for many users, such as those with limited mobility, reduced fine motor control, or reading disabilities like dyslexia.
    • That said, it should be noted that there are tools commonly available to help users here, such as password managers that can store and auto-populate a password.
    A form from a multi-factor authentication flow asking the user to enter a six-digit PIN that was sent via email

    ​Temporary passwords or PINs present many of the same memory and transcription challenges as custom passwords but lack access to supporting mechanisms like password managers.

    • In many cases, users must also jump between devices in order to locate and then enter the temporary password or PIN, requiring context switching that can present challenges for many neurodivergent users.
    • Finally, these patterns typically have time limits associated, which can further increase the difficulty and likelihood of error.
    The email sent by Medium.com for users that request to log in with an email link

    ​A one-time-use email link (or “magic link”) can serve much the same purpose as a temporary password or PIN – to confirm a user’s ownership of an email account or phone number during account setup – or as the primary method to log in.

    • However, compared to temporary passwords or PINS, magic links have a much lower interaction cost for the user, and therefore fewer potential accessibility issues.
    • These links usually have a short time limit before they expire, which can still present challenges for users if they are not long enough.
    I'm not a robot pop up test

    ​CAPTCHAs are often used in authentication flows to validate that the user is human and prevent bot attacks.

    • They require the user to complete a brief test, such as transcribing the letters shown in an image or selecting a particular type of object.
    • Many CAPTCHA solutions also provide an audio alternative for blind or low vision users, which asks the users to transcribe numbers or words from an audio recording.
    • Unfortunately, neither variety is accessible to deafblind users. CAPTCHAs can also present barriers for neurodivergent users who may interpret the challenge differently than intended, or may struggle to complete it correctly.
    A screen from WordPress.com’s authentication setup flow that asks the user to scan a QR code with the authenticator app on their mobile device

    ​QR codes can be seen in multifactor authentication schemes, usually through an app on the user’s device.

    • These are a very appealing option for many users since they do not require the user to transcribe a password or pass a test.
    • Nevertheless, QR codes can be difficult to locate and scan for blind or low vision users, though some screen readers have useful features to assist with this.
    • Users with tremors, reduced fine motor control, and other physical disabilities may also struggle to successfully scan a QR code.
    Hands holding an iPhone. Person using fingerprint to unlock their phone.

    ​Biometrics, such as facial or fingerprint recognition, generally present a low cognitive load and interaction requirements, which makes them helpful to many disabled users.

    • However, biometrics may still not be a silver bullet for all users.
    • For example, those with mobility impairments may struggle to maneuver their body and/or device to successfully scan their face or fingerprint, and users with visual disabilities may find it difficult to set up and use mechanisms like Face ID.
    Hand putting a flash drive into a computer

    ​Physical security tokens, such as a USB dongle that the user plugs into their computer, also typically require minimal additional input from the user and can alleviate many of the accessibility concerns involved with more traditional authentication methods like passwords. However, they can be easily lost or misplaced, which may be a greater concern for many neurodivergent users.

    ​The Complicating Factor of Multifactor Authentication

    ​Many websites and apps combine two or more of these authentication methods to create a login procedure known as multifactor authentication (MFA). Probably the most common example is requiring a user to enter their password and then enter a verification code sent by email or SMS. Alternatively, the user may be asked to verify the login through an authenticator app (which often requires biometric authentication before it can be accessed).

    ​As outlined previously, all authentication methods can present potential accessibility challenges for some population of users, so combining multiple methods increases the likelihood that users will encounter significant barriers to access. Further complicating matters is the fact that many MFA schemes also include a time limit. For example, that verification code sent to the user’s email is probably only valid for a short period of time, perhaps five minutes. Disabled users may require more time to read and interpret instructions, to navigate to the necessary email client or app, and to perform the necessary action. And if the user can’t complete all of these steps in time, they have to reinitiate the process and potentially enter into a confusing, frustrating, and repetitive loop.

    ​An additional consideration is that MFA almost always requires context switching, jumping from the primary website or app to an email inbox, text message, or authenticator app. As we’ve already discussed, context switching can present challenges for neurodivergent users that are more susceptible to distraction or loss of focus.

    ​One of the simplest ways to remedy these concerns is to give users options and allow them to choose the setup that works best for them. If transcribing a verification code is difficult for a particular user, perhaps scanning a QR code is a much more usable alternative.

    ​What About Passkeys?

    Passkeys provide a faster, more secure, and user-friendly way to sign into websites and apps on various devices. CapTech has published an article that outlines in detail how passkeys work; in short, they are passwordless experiences that alleviate the need to create, guard, or remember a custom account password.

    ​While there is a lot happening behind the scenes when using passkeys, the mechanics are simple. The user simply unlocks their device as they always do, with biometrics or a PIN for example. The private key held by the user’s device is then shared with the website or app they are accessing, and they are logged in!​ The accessibility benefits are numerous. Of course, removing the need to retrieve and transcribe a custom password – and replacing it with biometric authentication in most cases – is significant, for all of the reasons documented in this article.

    Animation of a user visiting a website login page on a laptop, initiating their passkey, and authenticating with biometrics on their phone to activate the passkey

    However, what is even more impactful is that the user does not have to learn and adapt to the unique authentication requirements of the website or app. Rather, they simply have to unlock their personal device using the mechanism that they previously configured and use every day. This gives users the control and flexibility to interact in the way most comfortable and familiar to them, a central tenet of accessibility.

    ​Passkeys are still a new technology that will take time for businesses and users to adopt, but they represent a promising evolution in more streamlined and accessible authentication patterns.

    ​How to Make Your Authentication Experience More Accessible

    ​Accessibility is complex and nuanced. Authentication is particularly challenging for many disabled users, and there is no comprehensive solution guaranteed to solve all users’ unique needs. That said, we can make progress and improve access for many by considering the following recommendations:

    • Explore Modern Authentication Methods – In general, newer advances in authentication capabilities, such as biometrics and passkeys, can reduce the level of effort and cognitive load required of users. If possible, avoid authentication methods that require memorization, transcription, and cognitive function tests.
    • ​Provide Options – Any authentication method can potentially present difficulties for certain users. Provide a variety of options so users can select the method that works best for them, and provide consistent, easy access to support.
    • Minimize Barriers – Evaluate if additional measures like conditional access rules and single sign-on can be leveraged to streamline the process and reduce how often you have to ask users to authenticate.
    • Evaluate and Improve – Regularly solicit feedback from users and evaluate your user experience against WCAG standards to identify areas of exclusion. Work towards incremental improvements, involving users in the process.​

        Related Content