Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Design Tips to Help Users with Visual Disabilities Stay Safe Online
1. Design Tips to
Help Users with
Visual Disabilities
Stay Safe Online
Daniela Napoli
daniela.napoli@carleton.ca
2. Today we’ll explore
1. Usable Security and how it can help
improve Accessibility
2. Obstacles users with visual
disabilities face when completing
sensitive tasks online
3. Design heuristics to help create
and evaluate accessible and usable
security information
daniela.napoli@carleton.ca 2
6. daniela.napoli@carleton.ca
Participants with
Visual Disabilities
Varied Apparatuses Security Tasks
• 14 recruited through
CNIB Toronto and
CCB Ottawa
• 7 blind
• 7 partially sighted
• Windows 10 or iPad
• JAWS, VoiceOver, ZoomText
• Internet Explorer, Safari,
or Chrome
• Gmail, Amazon, and CCNIB
• Verify site is legitimate
• Login or find a page
• Site-specific transaction
6
7. • 12 on Windows
desktop
• 2 on Apple iPad
• JAWS, ZoomText, or
nothing
• Majority used
Internet Explorer
(because most
compatible)
daniela.napoli@carleton.ca 7
9. Checking if a site is legitimate
JAWS read-out
made it harder to
detect spoof sites
Real: http://www.cnib.ca
Spoofed: http://www.ccnib.ca
JAWS: “H-T-T-P colon slash
slash dot cuh-nib dot cah.”
daniela.napoli@carleton.ca 9
10. Checking if a site is legitimate
“I know that there's a green
lock icon to tell me that a site is
safe, but I can't see it.”
daniela.napoli@carleton.ca 10
11. Checking if a site is legitimate
daniela.napoli@carleton.ca 11
12. Logging into accounts
No feedback to say
login was successful
Fail first attempt to login (6/14)
Confirmation through content
change (6/14)
Confirmation through lack of
error (5/14)
daniela.napoli@carleton.ca 12
13. Logging into accounts
"You never know your
password is correct before you
login.”
daniela.napoli@carleton.ca 13
14. Logging into accounts
Security errors buried
under page content
"The screen reader won't say
wrong password right away.
Sometimes you will have to
arrow around and see if it was
wrong."
daniela.napoli@carleton.ca 14
15. Online purchases
"It's telling me that there's a
problem. It's been marked.
Probably with a red something,
but let's see if VoiceOver will
tell me that.”
daniela.napoli@carleton.ca 15
19. Accessibility over security
Inaccessible antivirus
software
“ [anti-virus software doesn’t]
say what is actually wrong.
JAWS doesn’t read it either.
You have to get someone else
to read it.
Or, you have to click quarantine
not knowing what programs are
actually protected."
daniela.napoli@carleton.ca 19
21. “…I feel like a lamb to the slaughter.”
“…You don’t know if something is important or if you can get by
without it. It’s knowing what to do that’s hard.”
“…but someone who is actually blind knows the risk… I have to
be safe and smarter about it.”
daniela.napoli@carleton.ca 21
22. What can UX do to support users
with visual disabilities?
daniela.napoli@carleton.ca 22
26. For more details…
• D. Napoli, K. Baig, S. Chiasson, “I’m Literally Just Hoping This Will Work:
Online Security and Privacy Strategies of People with Visual Disabilities.”
In Proceedings of ACM SIGCHI Conference on Human Factors in
Computing Systems (CHI), 2021. [in submission]
• D. Napoli, “Developing Accessible and Usable Security (ACCUS)
Heuristics.” In Proceedings of ACM SIGCHI Conference on Human
Factors in Computing Systems (CHI), 2018. Extended Abstract.
• D. Napoli, “Accessible and Usable Security: Exploring Visually Impaired
Users’ Online Security and Privacy Strategies.” Carleton University, 2018.
Masters Thesis.
Supported by the Digital Inclusion Research Grant from eCampusOntario 2017-18.
daniela.napoli@carleton.cachorus.scs.carleton.ca 26
Notes de l'éditeur
Good morning everyone
I’ve been looking forward to sharing some of the stuff that consumes me when I’m not at CIHI
This work mainly pertains to my Masters research that I completed 2 years ago
My PhD research will be different but rooted in the same sort of idea – melding together accessibility and usable security
So, I hope that there will be something useful or interesting in here for everyone
Feel free to ask me anything as I go through these slides
As I’ve mentioned, most of my days outside of CIHI focus on the usable security side of accessibility
Today I’ve condensed some main ideas into three parts
First, I’d like to talk a bit about the field of usable security and how it is related to accessibility
Then, we can dig into some of the obstacles people with visual impairments faced while I observed them complete some security tasks online
Finally, we’ll go over a set of guidelines we composed to help ease the problems we found
To start I’ve shown this relationship between three seemingly similar fields… UX, accessibility, and usable security
This is likely straightforward to a team of UXers but…
Usable Security is a field that tries to make security systems more “user friendly” and therefore more effective
So, research in this field tries answer questions like:
How can we make passwords hard to crack but easy to remember?
Or, how can we make security warnings meaningful and relevant so people actually heed them?
You’ll notice that in this graphic there’s a gap here [CLICK] between usable security and accessibility
This is to show that often times usable security field doesn’t consider accessibility
And, frankly, a lot of accessibility discussion doesn’t really consider security either
To address this gap,
We aimed to identify how usable security can help accessibility
We began by exploring how issues that people with visual disabilities face when trying to manage their online security
Then from there we identified what pain-points exist
Finally, we came up with some ways to integrate usable security principles to solve these problems
Let’s go through the research we conducted
In Jan. 2019 we ran a user study to observe what people with visual disabilities do when working online
We recruited 14 people through Canadian National Institute for the Blind (CNIB) in Toronto and the Canadian Council of the Blind (CCB) in Ottawa
Seven participants had low to no vision and we considered them “blind.”
Seven had some vision in one or both eyes and we considered them “partially sighted.”
Depending on their abilities, and what devices they typically used, our study’s apparatuses varied.
So, blind participants used screen readers like JAWS or Apple VoiceOver. And, partially sighted participants used screen magnifiers like ZoomText or Pinch-to-Zoom in iOS.
Then, we randomly assigned participants to one of three websites: Gmail, Amazon Canada, or our spoofed CNIB website.
To spoof the CNIB website…
We copied all of the content from the legitimate site, hosted it on our lab server, and misspelled the domain so that it would it seem like a phishing site.
We asked participants to complete some security tasks.
We gave them account credentials and credit card information
so that they could complete the tasks without having to use their personal information.
We took notes of what people did and said during and after completing the tasks.
Here’s some more details about the participants included in the study
We had asked them extensive details about what devices they use and for what purpose
Overall, even though people tended to rely on their mobile device for day-to-day tasks
They typically used a desktop or something else for more sensitive tasks like banking or shopping
Further, not everyone was familiar with JAWS.
Some people knew what JAWS was but were not good at using it so they opted for other technologies.
Typically JAWS is used by people who are blind
And ZoomText, which is a screen magnifier is used by people who have some limited vision
But, this is not exclusive as there were participants who with partial vision use a combination of both to get the most out of their experience
So it’s important for designers to consider compatibility with a range of technologies
Let’s review some of our main findings
The first of the three security tasks participants were asked to do was to check if the website they were assigned was legitimate.
When deciding if a site was legitimate, people often relied on the organizations that seemed to be affiliated with the website.
If there was a recognizable logo on the website,
Or if it had content that they expected to be there,
The participants trusted that the page was legit and therefore safe to interact with.
This is a problem because our spoof site contained these indicators since we copied all of the legitimate website’s content
And what made the spoof site even harder to detect was JAWS itself
Blind participants who rely solely on audible information to make their decisions were limited because the screen reader read the spoofed URL the same way it read the legitimate URL
Visually, you can see that the spoofed URL has an extra C
But JAWS read both addresses the same: “H-T-T-P colon slash slash dot cuh-nib dot cah”
Making it impossible to notice the difference between the URLs unless they take extra steps to read the URL letter by letter
…Which most times, people won’t do if they aren’t suspicious of the website
Some common security advice in identifying legitimate websites will direct people to look out for some visual cues while surfing the web
For instance, this is the Google Chrome’s green lock indicator
It tries to show that a site is secure
But the problem with these visual cues is that they’re visual
And although our participants know it existed, and know it could help them, they said that they usually couldn’t find it
Icons like these don’t always have alt text or good enough alt text that actually depicts the “secured” nature that the lock icon is trying to represent
In the end, these indicators are really not accessible to non-visual users
Common security advice will also urge people to check if websites have a verified SSL certificate
An SSL certificate shows that the site is legit, or at the very least, your connection to the website is secure and can’t be intercepted by hackers
But when doing our research with Internet Explorer, one of the most popular browsers among JAWS users,
The text within this certificate was unreadable to screen readers
In fact, we had to go through a long process of trial-and-error to actually be able to get to some sort of information that told us the website’s certificate is valid.
What I have here on this slide is a flowchart of the process we took to find this information.
There’s almost 20 boxes here, each represents a screen within the SSL dialogue window
Only one of these boxes, or screens within the window, actually gave some sort of information the made it seem like the certificate was trustworthy
It’s unlikely that people will go through this long process to find this information
So, SSL certificates are also inaccessible to non-visual visitors
The second security task in our user study was to log in to the given website
Form fields usually cause issues for people who are visually impaired
So, as you can imagine, many people had issues when signing in
But, one of the most concerning problems we found was that people who are blind don’t have any explicit information to say the log in was successful
Without this feedback, they were unsure if the account had been accessed
Or if private information was being shown on the screen
This lack of feedback makes it hard for people to manage their privacy
Also, in regards to logging into websites, people had trouble typing in their passwords because systems will mask passwords as a security measure
Visually, websites will turn each character into a bullet glyph when typing a password
Audibly, through JAWS, each character will be read out as “star” while typing the password
This masking technique is supposed to keep the password private from someone who might be watching or listening,
but people who with severe vision loss, and can’t see the keyboard while they type, have to essentially guess if they typed their password correctly
This makes it hard for these people to control and manage their accounts
Additionally, sometimes some important security messages are buried under page content
Using passwords as an example, an error message like “Password incorrect” might be visually represented next to the form field
But it is nested so far down in the HTML that screen reader users have to search the entire page to find it
This makes it really hard for the person to know that something is wrong
And this could be a really critical problem for security warnings that might be more severe than incorrect passwords
During our study, error messages were sometimes high up in the page
But were still essentially inaccessible
During the third task, participants were asked to complete some transactions
One was to finalize a purchase on Amazon
This is a screen shot of one of our participants trying to clarify the shipping address for an Amazon package
The error happening here is very nuanced, Amazon wanted the user to format the shipping address in a way they thought was more legible
The differences between how the user typed the address and how Amazon wanted to change the address was visually emphasized with red, bold letters
However, when reading the information with screen readers, both the flawed address and the corrected address sounded exactly the same
There was no alternate text to depict what the error was
In the end, two blind participants couldn’t get beyond this problem and couldn’t finalize their Amazon purchase
This issue is less security-specific, but emphasizes the problem of having poor alt text can essentially derail and entire security-sensitive process
You could imagine that these issues might not be as severe for partially sighted users
But, when using screen magnifiers like ZoomText
It’s very easy for important information to get cut off
Here is a screen shot of another person completing an Amazon purchase
In this picture you can clearly seeThe header with the Amazon.ca prime logo
And a warning box with important information about the item that is currently in the cart
However, the partially sighted person who was completing this Amazon purchase had the screen magnified x12 larger than normal
This was necessary so that they could use the site
But it also was so zoomed in it cut off the important message, and they could only see the Amazon logo initially
Eventually the partially sighted person could find the important message
But this could be a bigger issue for errors or warnings that aren’t so prominently placed at the top of a page
Wrapping up our user study, after completing the security tasks, we asked participants to tell us what they think of some common security advice
Like we mentioned, security advice will tell people to check for lock icons or SSL certificates
And as we discussed, these aren’t necessarily accessible
Our participants also highlighted a few other aspects of security advice that is not accessible to them
For one, many people avoid updating their system because it can break accessibility
This can leave people’s computers in danger because often updates will improve the security of a system
Leaving them outdated could put someone at risk
But this is the compromise they have to make in order to be able to actually use their device
Participants also avoided some of the latest browsers including Microsoft Edge and Mozilla Firefox Quantum
These browsers might be faster and more secure
But, again our participants said they couldn’t use these browsers with some of their assistive technology
The majority of our participants said they thought antivirus software was important to their security
Many said they felt that this software kept them safe hackers or malware
But they said that this software was also inaccessible
In one case, someone who used JAWS told us that the system didn’t properly describe the issues that the antivirus was flagging
They often had to guess what the problem was and gamble on a solution
If they were really unsure, they would call someone they trusted to come over, check the program, and fix the issue for them
To summarize the experiences of people with visual disabilities…
A lot of participants just felt lost
They were uncertain how to actually protect themselves online because of these severe accessibility problems
This uncertainty was also due to the fact security advice, or people who offer security expertise, just don’t seem to understand their unique browsing habits and concerns
One participant said they can only trust advice from a tech savvy fellow blind person
Because only then would they feel like the advice they were given actually suits their needs
As you might have noted,
A lot of these problems go beyond just making an accessible website
The issues pertained to browsers, operating systems, and security advice would difficult to solve if you are a UX Designer or Analyst
But, people who have a hand in building web tools can still try to make that the privacy and security information being offered is effective and accessible
If you take a look at what’s out there already, neither official-looking accessibility nor usable security guidelines actually address accessible security
So, we created some design heuristics to help make security information more accessible to people with visual impairments
To create these heuristics we surveyed 25 peer-reviewed articles from both domains
Then we noted 172 best practices, expert recommendations, and documented user behaviours
We analysed these notes through an iterative open-coding process
Nine heuristics emerged from our analysis
These heuristics meld together principles from usable security and accessibility
So they can be helpful when you’re trying to designing accessible security info
Due to essence of time, I won’t be going through all of the heuristics today.
At the end of this talk, I’ll have a slide with some papers that will give you some more information.
But for now…
As you’re well aware, you can use heuristics to design or evaluate an interface.
Our hope is that these ACCUS Heuristics are helpful for doing just that within the context of security for users with visual disabilities.
These heuristics still need to be refined yet so far,
We have tested these heuristics in an expert evaluation of 10 popular transactional websites (shown in Table 1)
While using these heuristics we were able to identify several severe accessibility problems that couldn’t be found when using traditional automated accessibility checkers
We summarize our findings in Table 2 per website.
We compare the total issues found across all websites per ACCUS Heuristic in Figure 2.
As shown, often times issues we found were related to the Controllable heuristic.
The controllable heuristic relates to issues with accessing security information through screen readers and other technology.
However, the most severe issues were more often related to the Functional, Assistive , or Diverse heuristics.
These heuristics are similar to the Controllable heuristic but issues relating to these heuristics would involve, for example,
limited non-visual information to explain security indicators or limited explicit audible guidance in assisting users in solving the security problems they face.
Like I mentioned, I won’t go into deep detail about the heuristics
But number 2 in this list of papers will explain more
The first paper in this list talks more about the user study
All of this work was funded in part by the Digital Inclusion Research Grant from eCampusOntario.
Let me know if you’d like a copy of any of these papers
I’m happy to answer any more questions now