Recommandé
Recommandé
Contenu connexe
Similaire à Design Tips to Help Users with Visual Disabilities Stay Safe Online
Similaire à Design Tips to Help Users with Visual Disabilities Stay Safe Online (20)
Dernier
Dernier (20)
Design Tips to Help Users with Visual Disabilities Stay Safe Online
- 1. Design Tips to Help Users with Visual Disabilities Stay Safe Online Daniela Napoli daniela.napoli@carleton.ca
- 2. Today we’ll explore 1. Usable Security and how it can help improve Accessibility 2. Obstacles users with visual disabilities face when completing sensitive tasks online 3. Design heuristics to help create and evaluate accessible and usable security information daniela.napoli@carleton.ca 2
- 4. How do people with visual disabilities manage their security? daniela.napoli@carleton.ca 4
- 5. Study Design + Participants daniela.napoli@carleton.ca 5
- 6. daniela.napoli@carleton.ca Participants with Visual Disabilities Varied Apparatuses Security Tasks • 14 recruited through CNIB Toronto and CCB Ottawa • 7 blind • 7 partially sighted • Windows 10 or iPad • JAWS, VoiceOver, ZoomText • Internet Explorer, Safari, or Chrome • Gmail, Amazon, and CCNIB • Verify site is legitimate • Login or find a page • Site-specific transaction 6
- 7. • 12 on Windows desktop • 2 on Apple iPad • JAWS, ZoomText, or nothing • Majority used Internet Explorer (because most compatible) daniela.napoli@carleton.ca 7
- 9. Checking if a site is legitimate JAWS read-out made it harder to detect spoof sites Real: http://www.cnib.ca Spoofed: http://www.ccnib.ca JAWS: “H-T-T-P colon slash slash dot cuh-nib dot cah.” daniela.napoli@carleton.ca 9
- 10. Checking if a site is legitimate “I know that there's a green lock icon to tell me that a site is safe, but I can't see it.” daniela.napoli@carleton.ca 10
- 11. Checking if a site is legitimate daniela.napoli@carleton.ca 11
- 12. Logging into accounts No feedback to say login was successful Fail first attempt to login (6/14) Confirmation through content change (6/14) Confirmation through lack of error (5/14) daniela.napoli@carleton.ca 12
- 13. Logging into accounts "You never know your password is correct before you login.” daniela.napoli@carleton.ca 13
- 14. Logging into accounts Security errors buried under page content "The screen reader won't say wrong password right away. Sometimes you will have to arrow around and see if it was wrong." daniela.napoli@carleton.ca 14
- 15. Online purchases "It's telling me that there's a problem. It's been marked. Probably with a red something, but let's see if VoiceOver will tell me that.” daniela.napoli@carleton.ca 15
- 16. Online purchases Magnifier zoom is needed but can cut off important messages daniela.napoli@carleton.ca 16
- 17. Accessibility over security Avoid automatic updates because it breaks accessibility daniela.napoli@carleton.ca 17
- 18. Accessibility over security Avoid latest browsers because compatibility issues with assistive tech daniela.napoli@carleton.ca 18
- 19. Accessibility over security Inaccessible antivirus software “ [anti-virus software doesn’t] say what is actually wrong. JAWS doesn’t read it either. You have to get someone else to read it. Or, you have to click quarantine not knowing what programs are actually protected." daniela.napoli@carleton.ca 19
- 21. “…I feel like a lamb to the slaughter.” “…You don’t know if something is important or if you can get by without it. It’s knowing what to do that’s hard.” “…but someone who is actually blind knows the risk… I have to be safe and smarter about it.” daniela.napoli@carleton.ca 21
- 22. What can UX do to support users with visual disabilities? daniela.napoli@carleton.ca 22
- 23. 25 peer-reviewed articles 172 excerpts iteratively open-coded 9 emerging design heuristics Accessible and Usable Security (ACCUS) Design Heuristics daniela.napoli@carleton.ca 23
- 24. Accessible and Usable Security (ACCUS) Design Heuristics daniela.napoli@carleton.ca 1. Informative 5. Functional 2. Verifiable 6. Controllable 3. Recognizable 7. Responsive 4. Assistive 8. Diverse 9. Memorable 24
- 26. For more details… • D. Napoli, K. Baig, S. Chiasson, “I’m Literally Just Hoping This Will Work: Online Security and Privacy Strategies of People with Visual Disabilities.” In Proceedings of ACM SIGCHI Conference on Human Factors in Computing Systems (CHI), 2021. [in submission] • D. Napoli, “Developing Accessible and Usable Security (ACCUS) Heuristics.” In Proceedings of ACM SIGCHI Conference on Human Factors in Computing Systems (CHI), 2018. Extended Abstract. • D. Napoli, “Accessible and Usable Security: Exploring Visually Impaired Users’ Online Security and Privacy Strategies.” Carleton University, 2018. Masters Thesis. Supported by the Digital Inclusion Research Grant from eCampusOntario 2017-18. daniela.napoli@carleton.cachorus.scs.carleton.ca 26
Notes de l'éditeur
- Good morning everyone I’ve been looking forward to sharing some of the stuff that consumes me when I’m not at CIHI This work mainly pertains to my Masters research that I completed 2 years ago My PhD research will be different but rooted in the same sort of idea – melding together accessibility and usable security So, I hope that there will be something useful or interesting in here for everyone Feel free to ask me anything as I go through these slides
- As I’ve mentioned, most of my days outside of CIHI focus on the usable security side of accessibility Today I’ve condensed some main ideas into three parts First, I’d like to talk a bit about the field of usable security and how it is related to accessibility Then, we can dig into some of the obstacles people with visual impairments faced while I observed them complete some security tasks online Finally, we’ll go over a set of guidelines we composed to help ease the problems we found
- To start I’ve shown this relationship between three seemingly similar fields… UX, accessibility, and usable security This is likely straightforward to a team of UXers but… Usable Security is a field that tries to make security systems more “user friendly” and therefore more effective So, research in this field tries answer questions like: How can we make passwords hard to crack but easy to remember? Or, how can we make security warnings meaningful and relevant so people actually heed them? You’ll notice that in this graphic there’s a gap here [CLICK] between usable security and accessibility This is to show that often times usable security field doesn’t consider accessibility And, frankly, a lot of accessibility discussion doesn’t really consider security either
- To address this gap, We aimed to identify how usable security can help accessibility We began by exploring how issues that people with visual disabilities face when trying to manage their online security Then from there we identified what pain-points exist Finally, we came up with some ways to integrate usable security principles to solve these problems
- Let’s go through the research we conducted
- In Jan. 2019 we ran a user study to observe what people with visual disabilities do when working online We recruited 14 people through Canadian National Institute for the Blind (CNIB) in Toronto and the Canadian Council of the Blind (CCB) in Ottawa Seven participants had low to no vision and we considered them “blind.” Seven had some vision in one or both eyes and we considered them “partially sighted.” Depending on their abilities, and what devices they typically used, our study’s apparatuses varied. So, blind participants used screen readers like JAWS or Apple VoiceOver. And, partially sighted participants used screen magnifiers like ZoomText or Pinch-to-Zoom in iOS. Then, we randomly assigned participants to one of three websites: Gmail, Amazon Canada, or our spoofed CNIB website. To spoof the CNIB website… We copied all of the content from the legitimate site, hosted it on our lab server, and misspelled the domain so that it would it seem like a phishing site. We asked participants to complete some security tasks. We gave them account credentials and credit card information so that they could complete the tasks without having to use their personal information. We took notes of what people did and said during and after completing the tasks.
- Here’s some more details about the participants included in the study We had asked them extensive details about what devices they use and for what purpose Overall, even though people tended to rely on their mobile device for day-to-day tasks They typically used a desktop or something else for more sensitive tasks like banking or shopping Further, not everyone was familiar with JAWS. Some people knew what JAWS was but were not good at using it so they opted for other technologies. Typically JAWS is used by people who are blind And ZoomText, which is a screen magnifier is used by people who have some limited vision But, this is not exclusive as there were participants who with partial vision use a combination of both to get the most out of their experience So it’s important for designers to consider compatibility with a range of technologies
- Let’s review some of our main findings
- The first of the three security tasks participants were asked to do was to check if the website they were assigned was legitimate. When deciding if a site was legitimate, people often relied on the organizations that seemed to be affiliated with the website. If there was a recognizable logo on the website, Or if it had content that they expected to be there, The participants trusted that the page was legit and therefore safe to interact with. This is a problem because our spoof site contained these indicators since we copied all of the legitimate website’s content And what made the spoof site even harder to detect was JAWS itself Blind participants who rely solely on audible information to make their decisions were limited because the screen reader read the spoofed URL the same way it read the legitimate URL Visually, you can see that the spoofed URL has an extra C But JAWS read both addresses the same: “H-T-T-P colon slash slash dot cuh-nib dot cah” Making it impossible to notice the difference between the URLs unless they take extra steps to read the URL letter by letter …Which most times, people won’t do if they aren’t suspicious of the website
- Some common security advice in identifying legitimate websites will direct people to look out for some visual cues while surfing the web For instance, this is the Google Chrome’s green lock indicator It tries to show that a site is secure But the problem with these visual cues is that they’re visual And although our participants know it existed, and know it could help them, they said that they usually couldn’t find it Icons like these don’t always have alt text or good enough alt text that actually depicts the “secured” nature that the lock icon is trying to represent In the end, these indicators are really not accessible to non-visual users
- Common security advice will also urge people to check if websites have a verified SSL certificate An SSL certificate shows that the site is legit, or at the very least, your connection to the website is secure and can’t be intercepted by hackers But when doing our research with Internet Explorer, one of the most popular browsers among JAWS users, The text within this certificate was unreadable to screen readers In fact, we had to go through a long process of trial-and-error to actually be able to get to some sort of information that told us the website’s certificate is valid. What I have here on this slide is a flowchart of the process we took to find this information. There’s almost 20 boxes here, each represents a screen within the SSL dialogue window Only one of these boxes, or screens within the window, actually gave some sort of information the made it seem like the certificate was trustworthy It’s unlikely that people will go through this long process to find this information So, SSL certificates are also inaccessible to non-visual visitors
- The second security task in our user study was to log in to the given website Form fields usually cause issues for people who are visually impaired So, as you can imagine, many people had issues when signing in But, one of the most concerning problems we found was that people who are blind don’t have any explicit information to say the log in was successful Without this feedback, they were unsure if the account had been accessed Or if private information was being shown on the screen This lack of feedback makes it hard for people to manage their privacy
- Also, in regards to logging into websites, people had trouble typing in their passwords because systems will mask passwords as a security measure Visually, websites will turn each character into a bullet glyph when typing a password Audibly, through JAWS, each character will be read out as “star” while typing the password This masking technique is supposed to keep the password private from someone who might be watching or listening, but people who with severe vision loss, and can’t see the keyboard while they type, have to essentially guess if they typed their password correctly This makes it hard for these people to control and manage their accounts
- Additionally, sometimes some important security messages are buried under page content Using passwords as an example, an error message like “Password incorrect” might be visually represented next to the form field But it is nested so far down in the HTML that screen reader users have to search the entire page to find it This makes it really hard for the person to know that something is wrong And this could be a really critical problem for security warnings that might be more severe than incorrect passwords
- During our study, error messages were sometimes high up in the page But were still essentially inaccessible During the third task, participants were asked to complete some transactions One was to finalize a purchase on Amazon This is a screen shot of one of our participants trying to clarify the shipping address for an Amazon package The error happening here is very nuanced, Amazon wanted the user to format the shipping address in a way they thought was more legible The differences between how the user typed the address and how Amazon wanted to change the address was visually emphasized with red, bold letters However, when reading the information with screen readers, both the flawed address and the corrected address sounded exactly the same There was no alternate text to depict what the error was In the end, two blind participants couldn’t get beyond this problem and couldn’t finalize their Amazon purchase This issue is less security-specific, but emphasizes the problem of having poor alt text can essentially derail and entire security-sensitive process
- You could imagine that these issues might not be as severe for partially sighted users But, when using screen magnifiers like ZoomText It’s very easy for important information to get cut off Here is a screen shot of another person completing an Amazon purchase In this picture you can clearly see The header with the Amazon.ca prime logo And a warning box with important information about the item that is currently in the cart However, the partially sighted person who was completing this Amazon purchase had the screen magnified x12 larger than normal This was necessary so that they could use the site But it also was so zoomed in it cut off the important message, and they could only see the Amazon logo initially Eventually the partially sighted person could find the important message But this could be a bigger issue for errors or warnings that aren’t so prominently placed at the top of a page
- Wrapping up our user study, after completing the security tasks, we asked participants to tell us what they think of some common security advice Like we mentioned, security advice will tell people to check for lock icons or SSL certificates And as we discussed, these aren’t necessarily accessible Our participants also highlighted a few other aspects of security advice that is not accessible to them For one, many people avoid updating their system because it can break accessibility This can leave people’s computers in danger because often updates will improve the security of a system Leaving them outdated could put someone at risk But this is the compromise they have to make in order to be able to actually use their device
- Participants also avoided some of the latest browsers including Microsoft Edge and Mozilla Firefox Quantum These browsers might be faster and more secure But, again our participants said they couldn’t use these browsers with some of their assistive technology
- The majority of our participants said they thought antivirus software was important to their security Many said they felt that this software kept them safe hackers or malware But they said that this software was also inaccessible In one case, someone who used JAWS told us that the system didn’t properly describe the issues that the antivirus was flagging They often had to guess what the problem was and gamble on a solution If they were really unsure, they would call someone they trusted to come over, check the program, and fix the issue for them
- To summarize the experiences of people with visual disabilities…
- A lot of participants just felt lost They were uncertain how to actually protect themselves online because of these severe accessibility problems This uncertainty was also due to the fact security advice, or people who offer security expertise, just don’t seem to understand their unique browsing habits and concerns One participant said they can only trust advice from a tech savvy fellow blind person Because only then would they feel like the advice they were given actually suits their needs
- As you might have noted, A lot of these problems go beyond just making an accessible website The issues pertained to browsers, operating systems, and security advice would difficult to solve if you are a UX Designer or Analyst But, people who have a hand in building web tools can still try to make that the privacy and security information being offered is effective and accessible
- If you take a look at what’s out there already, neither official-looking accessibility nor usable security guidelines actually address accessible security So, we created some design heuristics to help make security information more accessible to people with visual impairments To create these heuristics we surveyed 25 peer-reviewed articles from both domains Then we noted 172 best practices, expert recommendations, and documented user behaviours We analysed these notes through an iterative open-coding process Nine heuristics emerged from our analysis
- These heuristics meld together principles from usable security and accessibility So they can be helpful when you’re trying to designing accessible security info Due to essence of time, I won’t be going through all of the heuristics today. At the end of this talk, I’ll have a slide with some papers that will give you some more information. But for now… As you’re well aware, you can use heuristics to design or evaluate an interface. Our hope is that these ACCUS Heuristics are helpful for doing just that within the context of security for users with visual disabilities. These heuristics still need to be refined yet so far,
- We have tested these heuristics in an expert evaluation of 10 popular transactional websites (shown in Table 1) While using these heuristics we were able to identify several severe accessibility problems that couldn’t be found when using traditional automated accessibility checkers We summarize our findings in Table 2 per website. We compare the total issues found across all websites per ACCUS Heuristic in Figure 2. As shown, often times issues we found were related to the Controllable heuristic. The controllable heuristic relates to issues with accessing security information through screen readers and other technology. However, the most severe issues were more often related to the Functional, Assistive , or Diverse heuristics. These heuristics are similar to the Controllable heuristic but issues relating to these heuristics would involve, for example, limited non-visual information to explain security indicators or limited explicit audible guidance in assisting users in solving the security problems they face.
- Like I mentioned, I won’t go into deep detail about the heuristics But number 2 in this list of papers will explain more The first paper in this list talks more about the user study All of this work was funded in part by the Digital Inclusion Research Grant from eCampusOntario. Let me know if you’d like a copy of any of these papers I’m happy to answer any more questions now