Skip to content

Accessible Authentication

a finger print in black lines

Authentication is the process of verifying a person's or system's identity. It's similar to showing your passport at customs. Authentication helps to ensure that only authorized individuals or systems can access restricted resources. Those resources may include websites or online services, computer systems, and / or   online financial institutions.

Authentication is a vital safeguard for everything from personal accounts to critical infrastructure.

Accessible authentication is even more vital. According to the World Health Organization, "An estimated 1.3 billion people—or 16% of the global population—experience a significant disability today." Each one of those 16% should be able to be authenticated and granted access as quickly and easily as possible, regardless of their disability.

Types of Authentication and the Barriers They Present

Multi-factor Authentication

Multi-factor Authentication (MFA) requires two or more ways to identify a person. For example, many financial agencies require you to key in your mobile number. Then, they send a code to your mobile device, and you must transcribe that code to receive access.

sample of a 2 factor MFA screen with a webform the reads "Enter the 6-digit code. A verification code has been sent to 777-555-5555" An input field with placeholder text that reads "Enter code"

Because access is only granted when the user successfully transcribes information, this type of MFA is considered to require a cognitive function test. This means this authentication technology will not pass SC 3.3.8: Accessible Authentication (Minimum) (Level AA), which states, "Don't make people solve, recall, or transcribe something to log in."

The World Wide Web Consortium (W3C) considers cognitive function tests "tasks that require the user to remember, manipulate, or transcribe information." These tasks include memorizing site-specific username/password combinations, performing calculations, or solving a puzzle. 

People with certain cognitive impairments can not transcribe a series of numbers from one device to another. 

Offering an alternative MFA, such as biometrics (facial recognition or fingerprints), can remove that barrier and allow people access. 

In addition, two mechanisms can make one-time passcode MFAs more accessible. Those are: 

  • support for password entry by password management application to reduce memory need, and

  • copy and paste to reduce the cognitive burden of re-typing

These exact mechanisms apply to our next authentication type, which is password-based. 

Password-based Authentication

Password-based authentication is one of the most commonly used methods for granting access to online resources. However, remembering and entering passwords can be challenging for many users, especially those with neurocognitive limitations and mobility issues. Difficulty recalling site-specific passwords and the inability to fill in password fields easily can create significant barriers. Additionally, strict password requirements, such as symbols, numbers, and capitalization, can further hinder accessibility for individuals with specific disabilities.

To ensure this authentication method is accessible, use proper markup with proper labels for input fields, no placeholder text, indicated required fields, simple, easy-to-read instructions, and expected input formats (dates, birthdays, etc.) - all the accessibility best practices you would use for any web form.

In addition, do not block the user agents from filling in the fields automatically, either by copy-n-paste by the user or by a third-party password manager application.

According to SC 3.3.8, "Generally, if the login form meets Success Criterion 1.3.5 Input Purpose, and the form controls have an appropriate accessible name per Success Criterion 4.1.2 Name, Role, Value, the user agent should be able to reliably recognize the fields and automatically fill them in."

CAPTCHA Authentication

CAPTCHAs are designed as a security measure to distinguish human users from automated bots.

Because most CAPTCHAs are visual, they can pose extreme barriers to people with visual impairments, color blindness, and screen reader users, as well as people with specific cognitive challenges.

For example, the CAPTCHA challenge below has several different background colors in addition to several shades of yellow making up each letter. This causes part of the letter to have proper contrast, depending on the shade of yellow and the background color behind that part of the letter. Other parts of the same letter do not have proper contrast due to the different background colors behind that part of the letter. Plus, the letters are squiggly and misshapen, making them difficult to discern for someone with varying forms of dyslexia.

a CAPTCHA sample. The background is a mixture of red, yellow, green and black in a swirl patten with the letters Y A B G in varying shades of yellow.

You can improve CAPTCHA challenges by doing a few simple things:

  • ALT Text: For image-based CAPTCHA, use ALT text that informs the user of its purpose and / or informs the user of an alternative CAPTCHA.

  • Audio descriptions: To assist visually impaired users, consider adding audio descriptions for CAPTCHA images. Be sure to produce high-quality sound with no background noise.

  • Contrast: Visual components of CAPTCHAs or any alternative authentication methods should comply with WCAG color contrast requirements. Do not use more than two colors—one for the background and one for the letters in the foreground.

For more information on different types of CAPTCHAs and how to make them more accessible, see the blog post titled CAPTCHA: A Digital Puzzle and Accessibility Challenge.

Wherever possible, provide alternative authentication options. If an alternative authentication method is provided, it must also pass SC 3.3.8: Accessible Authentication (Minimum) (Level AA) to be a conformant alternative.

Third-party protocols can help improve accessibility. They can provide an alternative to password-based authentication to accommodate some people with disabilities. Here are some examples:

  • Web Authentication (WebAuthn)
    "WebAuthn (Web Authentication) is an API specification by W3C that facilitates a secure way for users to log in to online services and websites using various authentication methods, such as biometrics (e.g., fingerprint or facial recognition) and hardware-based authenticators (e.g., USB or NFC tokens)." ~ WebAuthn - A Short Introduction  

    If your site doesn't enforce a particular modality, WebAuthn complies with Success Criterion 3.3.7, Redundant Entry (Level A).

  • Third-party Authorization and Authentication Protocols
    "Open authorization (OAuth) is an open-standard authorization framework that grants applications access to an end user’s protected resources—such as their photos, calendars, or social media posts—without requiring the login or password to the user’s account." ~ What is open authorization (OAuth)? For instance, users can log in with their Google, Twitter, Microsoft, or Facebook accounts. 

Note that OAuth is an authorization protocol, not an authentication protocol (See Authentication vs. Authorization). Therefore, your website would rely on a third party, like OpenID, to authenticate the user.

While these resources aren't mandatory, they can be convenient for some users. But remember, some users won’t have OpenID accounts, and some won't want to log in with their Facebook or Google accounts.

Whatever type of authentication you or your organization choose to implement, compatibility with assistive technologies, such as screen readers, screen magnifiers, and keyboard-only navigation, is a must. This ensures all individuals can use your authentication systems effectively and access the resources they want and need.

Resources

Maggie Vaughan, CPACC
Content Marketing Practitioner
DubBot