Understanding Authentication Method Use On Mobile Devices .
Understanding Authentication Method Use onMobile Devices by People with Vision ImpairmentDaniella Briotto Faustino and Audrey GirouardCarleton UniversityOttawa, ON, Canadadaniella.briottofaustino@carleton.ca, audrey.girouard@carleton.caABSTRACTPasswords help people avoid unauthorized access to theirpersonal devices but are not without challenges, likememorability and shoulder surfing attacks. Little is knownabout how people with vision impairment assure their digitalsecurity in mobile contexts. We conducted an online surveyto understand their strategies to remember passwords, theirperceptions of authentication methods and their self-assessedability to keep their digital information safe. We collectedanswers from 325 people who are blind or have low visionfrom 12 countries and found: most use familiar names andnumbers to create memorable passwords, the majorityconsider fingerprint to be the most secure and accessible userauthentication method and PINs the least secure userauthentication method. This paper presents our survey resultsand provides insights for designing better authenticationmethods for people with vision impairment.Author KeywordsBlind; low vision; vision impaired; password; userauthentication methods; smartphones; mobile devices.ACM Classification KeywordsSecurity and privacy Human and societal aspects ofsecurity and privacy Usability in security and privacyINTRODUCTIONCurrently, there is little information about security for peoplewith vision impairment while interacting with mobiledevices [22]. People with vision impairment are those whoare blind in one or both eyes, or those who have low visionand cannot read a newspaper even when wearing typicalcorrective lenses [33]. Previous research showed themajority of people with vision impairment did not useauthentication methods to protect their smartphones becausethey considered the alternative available (PINs) eitherinaccessible or inconvenient [7, 17]. In addition, researchersfound accessibility issues in authentication with ATMs [13],Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. Copyrights forcomponents of this work owned by others than the author(s) must behonored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires priorspecific permission and/or a fee. Request permissionsfrom Permissions@acm.org.ASSETS '18, October 22–24, 2018, Galway, Ireland 2018 Copyright is held by the owner/author(s). Publication rightslicensed to ACM.ACM ISBN 978-1-4503-5650-3/18/10 As [31], and patterns drawn on the screen [8]. Also,people with vision impairment are more vulnerable toshoulder surfing and aural eavesdropping when enteringPINs [20]. However, even though more user authenticationmethods are now available (e.g. fingerprint and facialrecognition), we do not have information about which of theexisting methods people with vision impairment considermore secure, more accessible or preferable.In 2015, Bourne et al. [12] estimated that 36 million peoplewere blind and 217 million were moderately or severelyvision impaired, for a total of 253 million people living withvision impairment around the world. Thanks to the rise ofaccessibility features and applications for mainstreamdevices, the number of people with vision impairment usingsmartphones is increasing [14, 20]. Consequently, they arerelying more on the technology, making it essential to assuretheir privacy and security protections [22].To better understand how people with vision impairmentperceive and navigate user authentication methods, weconducted a comprehensive online survey to answer thefollowing research questions:1) How do people with vision impairment self-assess theirability to keep their digital data secure?2) Which is the user authentication method considered moresecure and accessible for people with vision impairment?3) What are the differences between people who are blindand people who have low vision in their preference andopinion on user authentication methods?To the best of our knowledge, this study is the first toextensively explore the relationship people with visionimpairment have with passwords and user authenticationmethods. Through an analysis of the answers from 325 visionimpaired respondents, the contributions of this work are: (1)an overview of the main challenges faced by people withvision impairment when dealing with passwords; (2) insightson how people with vision impairment perceive differentuser authentication methods; (3) a comparison betweenpeople who are blind and people who have low visionregarding digital security.This paper starts with Related Work centered around userauthentication methods and security concerns for peoplewith vision impairment on a mobile context. SurveyMethodology describes the development and distribution of
the online survey, while the Results reports on participants,password use, authentication methods in mobile devices, anduse of smartphones and authentication. Discussion weightsthe most important findings and how they relate withprevious work.RELATED WORKIn 2016, 77% of sighted adults from the United States ofAmerica (US) said they own a smartphone, a large increasefrom 2011 where the percentage of smartphone owners was35% [30]. With the increase in smartphone adoption, morepersonal data is stored in them, such as name, address, emailand geolocation [22]. To protect smartphones fromunauthorized access (and consequently the personalinformation saved in them), users have to prove they are whothey are claiming to be, through a user authentication method[25]. The methods available can be categorized as:something you know (knowledge-based, such as PINs,alphanumeric passwords or patterns drawn on the screen),something you have (token-based, such as smart cards), andsomething you are (biometric-based, such as fingerprints,facial recognition, voice recognition, iris scans) [22]. Theoptions most commonly used by sighted Americans werePINs (26%), fingerprint (23%), passwords (9%), and patterns(9%), but 28% did not use any method to lock their screenand avoid unauthorized access [30].Besides from being the most ubiquitous option, PINs areconsiderably more secure than patterns, as even a 2-digit PINis most secure than a pattern of dots connected by drawingon the screen, because people tend to create very simplepatterns [4]. On the other hand, both PINs and alphanumericpasswords require users to memorize a sequence ofcharacters, a disadvantage when compared to biometricmethods. Fingerprints, for instance, allow for a reliableindividual identification [11], though they have issues, suchas high false rejection rates, and the impossibility ofreplacing one’s fingerprint in case the information iscompromised [25]. Ultimately, biometrics does not replacepasswords, and “can be considered a re-authenticator or asecondary-authentication device as a user is still required tohave a PIN or pattern that they enter rather frequently due toenvironmental impacts (e.g., wet hands)” [5].Smartphones are powerful devices, offering a myriad offunctions and access to different social spheres, but for theblind or vision-impaired user, they are limited by theubiquity of touch screen interfaces [15]. Blind individualscan explore the UI elements on their touch screen with thesupport of embedded screen readers, even though this is aslow and error-prone process [6]. This extends to security,where typing PINs while using screen readers makes peoplewith vision impairment more susceptible to others listeningtheir passwords (aural eavesdropping), as the system readsout loud everything, even password entries [20]. Similarly,the use of screen magnifiers by those with low vision alsoincreases the susceptibility for visual eavesdropping [20]. Inaddition, trying to type in a password is considered one ofthe most difficult things for people with vision impairmentto do in a smartphone while using the internet [9].Prior work from Ahmed et al. [2] indicates that most peoplewith vision impairment feel uncomfortable to use passwordsin public contexts for fear of eavesdropping and also haveprivacy concerns. However, other research indicate that themajority of people with vision impairment are choosing notto use passwords to protect their smartphones [7, 17]. One ofthe reasons given by participants for not using anyauthentication method was that they kept their smartphoneclose to them at all times [7, 38], even though this is not asecure practice. Another reason mentioned by someparticipants was the inconvenience of unlocking the deviceusing PINs [7], potentially due to the penalty in time [36].Additionally, among the user authentication methodscurrently available on smartphones, iris or retina scans canbe problematic for people with vision impairment, “who mayhave deformed or missing eyes, or no ability to open theireyelids” [22], as patterns drawn on the screen are, becausethey require the selection of points on the touch screen [8,22].It is important to realize that users see security simply as ameans to complete their tasks while having their data private.However, if security features are not accessible to them, iteither makes them unable to access specific information orapplications, or forces them to ask the help of others whilecompleting required authentication procedures, possiblycompromising their own security [22]. Prior research on theintersection of usability, security and accessibility are rare[31] and need further investigation [22]. This work aims toclarify both whether people with vision impairment arecurrently adopting user authentication methods and whetherthese pose accessibility issues to them.SURVEY METHODOLOGYWe developed an online survey to collect data from blind andlow vision individuals regarding their use of passwords andperceptions about user authentication methods and their ownability to protect their personal information in digitaldevices. Our hypotheses were:H1) People with vision impairment will not feel able toproperly keep their digital information secure, because ofaccessibility issues with the visual cues and feedbackprovided [7] and the difficulty to assess if others are shouldersurfing their passwords [2].H2) People with vision impairment will choose fingerprintsas the most secure authentication method due to its broad use[30]. They will also choose it as the most accessible methodas it is a biometric method, which does not require enteringa password and is available in most smartphones [26].H3) As to the best of our knowledge no previous workinvestigated differences in preference and opinions regardingauthentication methods between people who are blind andpeople who have low vision, we expect no differencebetween the two groups.
Survey DesignWe applied the guidelines proposed by Kaczmirek and Wolff[21] to create an effective self-administered survey for visionimpaired participants. We developed 30 multiple-choice ortext-entry questions, divided in four groups: 1) demographicinformation, 2) use of passwords in general, 3) point of viewon existing user authentication methods available for mobiledevices and 4) use and protection of mobile devices. Weposted the survey in both English and Portuguese using theplatform Qualtrics [28], where we numbered all questionsand added additional explanation in brackets to helpparticipants to answer (e.g. “choose all that apply”, formultiple-choice questions or, “write your answer” for textentry questions). We did not list consecutively alternativesstarting with the same letters to facilitate their selection byparticipants using screen magnifiers, which focuses in asingle area of the screen at a time. For this reason, we did notrandomize the lists of alternatives in any of the questions.Before distributing the survey, we tested it with two humancomputer interaction specialists to evaluate theappropriateness of the questions and their sequencing toavoid introducing bias. We also tested it with two peoplewho are blind, using both a smartphone and a computer, toidentify accessibility issues or other problems that mightimpact completion or ease of use. We distributed the surveyby email to organizations that support people with visionimpairment from 31 countries (e.g. Lighthouse for theVisually Impaired and Blind, or the Canadian Council of theBlind). The survey was open for two and half months fromDecember 2017 to February 2018. Participants who declaredbeing vision impaired and at least 18 years-old qualified toparticipate. As a token of appreciation, we drew a 50 giftcard to one participant at random. We obtained ethicalclearance from the Carleton University Research EthicsBoard (CUREB-B # 102815).TerminologyAccording to Kleynhans and Fourie [3], the terms visuallyimpaired, partially sighted and low vision are usedinterchangeably in the literature to indicate residual vision.In our survey, we opted to use the term vision impaired, inaccordance with the World Health Organization (WHO)[34], the Center for Disease Control and Prevention [19] andthe Government of Canada [16]. However, we alsoconsidered the suggestion from Cavender et al. [1] onclarifying if a person referred as “blind” is someone who usesscreen readers to access a computer, by adding a question onwhat assistive technologies participants use.Analysis of ResultsOne researcher performed quantitative analysis of themultiple-choice answers using R Studio [29] and qualitativeanalysis of the text-entry answers using NVivo [27].Quantitative analysis included chi-square tests ( 2) ofcategorical data and t-tests (t) of numerical data, but we onlyreport statistically significant results. We conducted thequalitative analysis using grounded theory [17] to code thedifferent themes that emerged for each question. Whenevernecessary, we coded answers in more than one theme, but wedid not code unclear answers.PARTICIPANTSThis section presents participants’ demographics (includingtheir vision impairment) and assistive technology use.DemographicsWe collected 325 complete answers from adults with visionimpairment. From those, 223 declared they were blind, 93declared they had low vision and the remaining 9 declaredthey had other vision impairments such as tunnel vision andlimited central vision. We grouped them with either the blindgroup or the low vision group based on the WHOclassification [37], to consolidate the analysis in only twogroups with similar characteristics. The regrouping resultedin a total of 225 blind participants (69.2%) and 100 with lowvision (30.8%). Most participants have been vision impairedfor their entire adult life, as they reported becoming impairedat a median age of 1 year old (Mean (M) 8.29, SD 13.56).Most participants resided in the US (72.3%) or Canada(15.1%). Other participants resided in 10 countries (Brazil:5.2%; Portugal: 1.5%; Australia, Jamaica and New Zealand:1.2% each; the U.K.: 0.9%; Barbados, Bosnia andHerzegovina, Mongolia and Trinidad and Tobago: 0.3%each). Gender was almost evenly distributed, with 169 (52%)females and 153 (47.1%) males. Ages ranged from 18 to 80years-old, but most were middle-aged adults (M 45.73,Median 45). Besides being vision impaired, some (N 49,15.1%) reported having another physical or cognitiveimpairment, most commonly related to hearing loss (N 27)as grouped by the WHO classification [37]. Consideringparticipants with other impairments were equally spreadamong the two groups (blind and low vision), we choose not0%20%40%60%Screen reader*55%Braille display*73%56%12%28%30%Voice input software26%4%PDA*13%BlindLow vision23%20%17%Smartphone overlayScreen magnifier*100%97%66%Assistive Apps*Braille keyboard*80%6%Video magnifier*4%Eletronic glasses3%3%72%41%Figure 1: Blind and low vision participant’s use of assistivetechnology. Significant differences marked with *.
to analyze their answers separately. Participants took amedian time of 24 minutes to answer the online survey.Use of Assistive TechnologyWe asked participants to select assistive technologies theyused from a list with 10 options. Among the most commonlyused were: screen readers (87.7%), assistive apps (67.4%)and Braille displays (42.5%). Figure 1 shows the assistivetechnology use. Only seven participants reported not usingany of the devices listed in the question.We compared the use between the two groups (blind and lowvision). We found the use of the following assistive deviceswere significantly larger by blind participants than byparticipants with low vision: screen readers ( 2 (1, N 325) 62.98, p .001), Braille display ( 2 (1, N 325) 54.86, p .001), Braille keyboard ( 2 (1, N 325) 21.88, p .001),assistive smartphone applications ( 2 (1, N 325) 10.08, p .005), and personal digital assistant (PDA) ( 2 (1, N 325) 4.42, p .05). On the other hand, the use of the followingassistive devices was significantly larger by participants withlow vision: screen magnifier ( 2 (1, N 325) 153.93, p .001 and video magnifier ( 2 (1, N 325) 75.81, p .001).The results on the use of screen magnifiers and screenreaders are consistent with previous research [3]. But ourresults also indicate people who are blind require the use ofmore assistive technologies than people with low vision,except for devices that support the use of residual vision.Participants who became vision impaired earlier in life weremore likely to use Braille displays (M 3.9 vs. M 11.5, t(321) 2.81, p .005). This indicates Braille education isprobably given to people who are blind since birth or sinceearly childhood. Based on the use of assistive technology andfollowing the suggestion of Cavender et al. [1], blindparticipants are those who use screen readers to interact withtheir digital devices, while low vision participants are thosewho are more likely use screen magnifiers, instead.PASSWORD USEThis section reports the importance of passwords forparticipants, where they use them, their self-assessed abilityto protect their digital information, their strategies formemorization and concerns with using passwords in public.80%76% 71%Blind60%40%20%20%25%4% 3%We asked participants to explain their rating of passwordimportance, illustrated in Figure 3. Among participants whorated passwords as very important, important or neutral, mostmentioned acknowledging the importance of passwords forprotecting personal information (57.6%), followed byassuring their privacy and security (26%).0% 1%0%VeryImportantimportantNeutral0% 0%NotNot at allimportant importantFigure 2: Blind and low vision participants’ ratings for theimportance of passwords.Interestingly, twelve participants that chose very importantor important discussed vulnerabilities of passwords, evenciting the 2017 data breach on a credit information bureau,involving more than 140 million Americans [18]: “[myinformation] should be protected as identity theft can beexpensive to resolve. Unfortunately, no matter how securewe are, when companies like Equifax lose our data, all of ourprecautions are meaningless” (P214). Some participantsalso said the importance of passwords depends on the contextand the importance of the information being secured (N 6).Previous experiences also affect how people with visionimpairment perceive the importance of passwords. Twoparticipants who said they did not have problems so far ratedpasswords as not important or neutral, whereas four that hadbad experiences rated passwords as very important. Forexample, P23 said: “Other people could easily gain accessto my information as I cannot tell if they are watching me, Ihave had electronic devices stolen when I was not looking.”Digital PresenceParticipants’ near unanimous evaluation of passwords asimportant is in line with
with vision impairment while interacting with mobile devices [22]. People with vision impairment are those who are blind in one or both eyes, or those who have low vision and cannot read a newspaper even when wearing typical corrective lenses [33]. Previous research showed the majority of people with vision impairment did not use authentication methods to protect their smartphones because they .
EPA Test Method 1: EPA Test Method 2 EPA Test Method 3A. EPA Test Method 4 . Method 3A Oxygen & Carbon Dioxide . EPA Test Method 3A. Method 6C SO. 2. EPA Test Method 6C . Method 7E NOx . EPA Test Method 7E. Method 10 CO . EPA Test Method 10 . Method 25A Hydrocarbons (THC) EPA Test Method 25A. Method 30B Mercury (sorbent trap) EPA Test Method .
The Concept of Two Factor Authentication Two factor authentication is an extra layer of authentication added to the conventional single factor authentication to an account login, which requires users to have additional information before access to a system is granted (Gonzalez, 2008). The traditional method of authentication requires the
utilize an authentication application. NFC provides a list of possible authentication applications for employees to use on the two-factor authentication screen in My EPP, but they may use other authentication applications or browser plugins. Authentication applications are device specific i.e. Windows, iOS (Apple), and Android.
unauthorised users. Generally, authentication methods are categorised based on the factor used: knowledge-based authentication uses factors such as a PIN and password, token-based authentication uses cards or secure devices, and biometric authentication uses fingerprints. The use of more than one factor is called . multifactor authentication
Broken Authentication - CAPTCHA Bypassing Broken Authentication - Forgotten Function Broken Authentication - Insecure Login Forms Broken Authentication - Logout Management Broken Authentication - Password Attacks Broken Authentication - Weak Passwords Session Management - Admin
RSA Authentication Agent for Microsoft Windows RSA Authentication Agent for Mi crosoft Windows works with RSA Authentication Manager to allow users to perform two-factor authentication when accessing Windows computers. Two-factor authentication requires something you know (for example, an RSA SecurID PIN) and something you have (for
authentication, (2) Biometric supported authentication, and (3) Knowledge supported authentication. Token supported authentication makes use of key cards, bank cards, and smart cards. Token supported authentication system sometimes uses kno
Sentinel Log Manager 1.0.0.4 Administration Guide. LDAP Authentication Sentinel Log Manager now supports LDAP authentication in addition to the database authentication. A new Authentication Type option has been added in the user Add a user window of the Sentinel Log Manager, which enables you to create user accounts that use LDAP authentication.
