Skip to Content

multifactor authentication

Imagine The Dark Future of CAPTCHA and Multifactor Authentication for the Blind

August 25, 2007 • Darrell Shandrow Hilliker

If you’re blind or severely visually impaired, imagine that you wake up one day to find…

  • You compose an e-mail to your sister, only to discover you can’t send it due to a visual CAPTCHA that provides no audio playback or other reasonable accomodation. A telephone number is given for visually impaired users. After waiting on hold for an hour, the person at the other end of the line has no clue how to help you. You consider switching e-mail providers, but you wonder if your bank account balance would support such a decision…
  • You log into your bank’s web site, only to find that a new visual security scheme has been implemented without considering your need for equal access. Since there is no reasonable accomodation for you as a blind person, your username and password are no longer sufficient and you have lost the ability to access something as simple as the balance of your own checking account! Since you do not live with a sighted person, you’re out of luck for a few days until you can find one with whom you trust with your personal bank account. Personal web surfing, for any reason, is not permitted at the office, so a co-worker is not an option.
  • You decide to log into PayPal to check your account balance there, only to find that the PayPal Security Key is now required for all customers! You never got one of those because the numbers it displays are only delivered visually. You assumed it wouldn’t be a requirement, or that accessibility would be considered before that happened. You’re now also locked out of your PayPal account! You give up, get showered, dress and leave for work…
  • At the office, you find yet another nasty surprise. All computers are now equipped with a visual display token for purposes of authentication and heightened security. The token displays a sequence of characters you must enter, in addition to your existing username and password, in order to be granted access to your work computer. Furthermore, due to the high security nature of the job, this process is required once every hour and anytime you leave your desk for breaks, lunch, etc. You suggest asking a supervisor for help with this process until it can be made accessible, but your employer sees fit to go ahead and get rid of you instead. Accomodating your needs would just be too much of an “undue burden”… You’re fired!
  • You return home to begin the process of applying for Social Security, Unemployment and other welfare benefits, only to find that most of the web sites require solving a visual CAPTCHA. You’ll have to go down to these separate offices in person! Getting assistance in person is an absolute nightmare! After waiting in line at Social Security for an hour, the agent says she is too busy to help you due to the need to serve other clients and, anyway, isn’t all this done online nowadays? You’re given a bunch of paperwork to have filled out by some sighted person, one of these days…
  • It takes so long to find competent sighted help that you don’t start receiving any welfare benefits for almost two months! In the meantime, you have lost your house and are now living in a homeless shelter! You can forget about another job, as most employers now require secure visual authentication, and most job related computer applications are virtually totally inaccessible to blind people…
  • Most assistive technology companies have since gone out of business, due to the implementation of visual authentication and the almost total lack of mainstream technology that even approaches any level of functionality with screen readers. Only a single company remains, delivering a screen reader to the few remaining blind government employees who retain their jobs by a thread. The Federal government is dying to be granted the ability to use the same visual authentication scheme as that employed in the private sector, if only they could successfully get Sections 504 and 508 of the Federal Rehabilitation Act repealed. There are national security reasons for doing this which clearly trump the needs of a few blind people. Congress and the President are in negotiations to make that happen any day now…

We should be afraid, be very afraid, of the clear and present danger posed by inaccessible CAPTCHA, visual only multifactor authentication schemes and other technologies that do not reasonably accomodate our needs. Our fear should not result in our cowering in a corner waiting for it to happen. Instead, we must become angry enough to start really doing something about it! Anger is not always a bad emotion. It is often a response to injustice, which we can choose to channel into taking positive action. As a blind community, are we up to the challenge of absolutely insisting that our need for equal accessibility be reasonably accomodated? As a blind individual, what actions will you take right now and later to ensure a brighter, more accessible future for you and your blind brothers and sisters? Don’t choose to remain in the dark one more second! Please feel free to take our poll on accessibility and provide your feedback by way of posting a comment to this article.

PhoneFactor: A Potential Answer to Accessible Two-Factor Authentication

August 19, 2007 • Darrell Shandrow Hilliker

Once again, we learn that authentication based on sight alone is not the only game in town. A company called PhoneFactor delivers a two-factor authentication scheme in which the second piece of authentication material is literally your telephone. In simple terms, here’s how it works:

  1. Supply your traditional username and password as prompted.
  2. Your telephone rings.
  3. Press the pound sign!
  4. That’s all there is to it!

The potential of this solution to deliver security while ensuring accessibility for people with disabilities simply can’t be ignored!

PayPal Security Key: Do Blind People Deserve the Same Level of Security as the Sighted?

August 18, 2007 • Darrell Shandrow Hilliker

Recently, PayPal began offering account holders the ability to use a Security Key as an additional means of protection. The Security Key is a small piece of hardware that connects to the computer’s USB port and displays a sequence of numbers that change every 30 seconds. Once the key is activated, users must supply these numbers in addition to their typical PayPal username and password in order to be granted access. No accessible version of the PayPal Security Key is offered at this time. Though the Security Key is not required, there are a couple of significant concerns.

At this time, use of the Security Key is not required in order to continue using PayPal. One may decide to avoid purchasing and activating the Security Key, while still retaining access to their account. This may seem to represent a mitigating factor, except for one dirty little truth. The availability of the Security Key to only sighted PayPal customers automatically means that blind and visually impaired customers are not afforded the same degree of security! That’s right. While the sighted may now enjoy two-factor, virtually unbreakable authentication, we blind folks are stuck with the traditional username and password approach. This inherently makes the blind more vulnerable to fraud, identity theft, loss of PayPal funds and all manner of other imaginable nastiness. Alas, that’s not all!

While the Security Key is currently an optional enhancement, we can see the day in the near future when PayPal will begin requiring use of this authentication method for all account holders. At that time, blind and visually impaired people will be completely locked out of their PayPal accounts, unless an accessible version of the Security Key is made available. When that happens, PayPal will be giving its blind customers the boot, showing them the tightly barred and locked door featuring the infamous “No Blind People Allowed” sign.

Multifactor authentication is not new to PayPal. It is rapidly extending to the web sites of many banks and other financial institutions. It is absolutely critical that we, as a blind community, begin to effectively address issues of visual CAPTCHA and multifactor authentication before we find ourselves locked out of online participation and even separated from our money! Let’s act now with respect to PayPal! We urge all of you to ask PayPal for information about their intentions toward blind and visually impaired customers with respect to the Security Key. Please post any responses from PayPal as comments to this article.