All Access: Making Authentication Work for Everyone
You’ve been there before. You’re trying to log into a password-protected website and a Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA) authenticator pops up to confirm you are a human.
It shows you a grid with photos of roads and instructs you to choose all the boxes that include traffic signs. You’re squinting at your screen trying to figure out if a sign overlaps into a second square or not.
Now, imagine if you have a vision impairment.
CMS Information Technology Management Specialist Aaron Allen, who is visually impaired, does not have to imagine. While ensuring CMS applications are compliant, navigating the web, or just using his computer in general, Allen relies on a screen reader. He cannot complete a captcha verification without seeking help from another person.
“Captcha plays havoc with screen readers,” says Allen. “The security software is not recognized by screen reading technology. … Sometimes, they offer audio, but it’s designed in such a poor manner that it’s not recognizable. You have to pick out sound from static.”
Vision is just one of the barriers to web authentication accessibility. The Web Content Accessibility Guidelines (WCAG 2.2) stipulate that, “For each step in an authentication process that relies on a cognitive function test, at least one other authentication method is available that does not rely on a cognitive function test, or a mechanism is available to assist the user in completing the cognitive function test.”
Cognitive function tests typically require users to rely on their memory. Remembering a password is a test of cognitive function in and of itself. People with dyslexia, memory issues, and perception-processing disabilities may not be able to reproduce the numbers, symbols, and capitalization requirements necessary for passwords.
The Bureau of Internet Accessibility suggests taking the following steps to increase accessibility for those with cognitive disabilities.
- Use proper markup to allow password managers to fill in fields automatically
- Websites should not block copy-and-paste functionality.
- Wherever possible, provide alternative options for authentication.
Alternatives include WebAuthn API, which allows users to authenticate with a device via options such as a fingerprint, facial scan, or PIN.
Antoinette Johnson, Director of OIT’s Division of Investment Oversight and Governance as well as CMS’s Section 508 Program Manager, says “The important thing is to have as many alternatives as possible.”
“Cognitive, hearing, and neurological, vision, and behavioral disabilities can all impact one’s ability to access or express information,” says Johnson.
Division of Investment Oversight and Governance Deputy Director Ann Turner points out that the CMS Section 508 program is “laid on the foundation of the 508 Rehabilitation Act” and that President Biden issued an executive order in June to increase DEI and accessibility across the federal government. Although CMS is moving in the right direction, we face many challenges. For one, these requirements are not accompanied by funding like other federally mandated programs.
“That means we have to leverage internal resources that we already have, and we have to educate on all levels,” Turner says. “It takes each and every one of us to do our part for this work to be successful.”
Success starts with the procurement process. Solicitations communicate the importance of accessibility, and CMS personnel communicate with vendors throughout the software development process.
Lastly, all software goes through a rigorous testing process to meet both 508 and WCAG 2.0 requirements. That’s where Allen comes in. He updates and maintains CMS Section 508 policy while providing technical guidance to CMS staff and contractors on Section 508 requirements.
Turner says that when accessibility discussions and testing are built into the software development workflows, most applications have a better success rate of meeting OIT’s compliance threshold. Of over 140 applications tested in 2021, 118 passed because of the great work of our Section 508 test lab and business partners.