blind users and online security insert professor name and class name here!
TRANSCRIPT
Blind Users and Online Security
INSERT PROFESSOR NAME AND CLASS NAME HERE!
Why is online security important to blind people? People who are blind may have
trouble with transportation, so they often shop and purchase items online to be delivered to their workplaces or homes
Paper bills in the mail are a hassle for blind users, they greatly prefer to receive and pay all statements and bills online
So online security is VERY IMPORTANT to blind users
Introduction People with low vision may use screen
magnification, but people with no residual vision rely on audio or tactile
Screen reader software (e.g. Window-Eyes or JAWS), costs under $1000 and can be used by anyone with hearing
Refreshable braille displays cost thousands of dollars and only an estimated 10-20% of blind Americans can read Braille.
Audio output and security Because of those facts, audio is the
primary method of output for blind users, so privacy can be a concern
You don’t want other people to hear your personal information (login, password, credit card number, etc.) when they are passing by
If it’s for an edit field that won’t appear visually (e.g. stars show up when you type in a password), then the data also won’t appear in audio output
Use of headsets by blind users
This poses a problem: you need to hear audio confirmation to ensure that what you are typing is correct, but you don’t want others to hear it
Often, blind users will utilize headsets on their desktop computer or laptop, or use headsets when they want to perform sensitive tasks
This is also true on kiosks and ATMs
Consider ATM machines Many ATM machines will have different
layouts, so blind users aren’t always 100% sure of the input or output—they need verification
Blind users don’t want to share their passwords with anyone else
But audio output could lead to security or privacy breaches (your password and current balance are no one’s business!)
Even ATM machines now have headset jacks so that blind users can have privacy
(Manzke et. al. 1998)
Common forms of authentication
Passwords Security questions Human interaction proofs Biometrics
Passwords Blind users can utilize passwords just like
any other users Because blind users have no trouble
typing, it’s unlikely that they would use shorter-than-normal passwords (as people with motor impairments may user)
But password fields need to be non-showing (with astericks) so that others can’t walk by and see/hear the passwords
Security Questions Blind users are not expected to have
any problems with security questions Security questions such as:
What was the first school you attended? What is your favorite sports team? What city were you born in
As long as others can’t see/hear the responses, there are no security-related problems
Human interaction proofs Blind users DO tend to have
problems with various forms of human interaction proofs
There is a body of literature on this issue
A human-interaction proof is a tool to determine the difference between a human user and an automated software bot or virus
Human Interaction Proofs (HIP)
The most common type of HIP is known as a CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart)
About HIPs/CAPTCHAs CAPTCHAs (a type of HIP created at
Carnegie-Mellon Univ.) provide text that is distorted (www.recaptcha.net)
The idea is that a human could see through the distortion, but image recognition software (from a bot or virus) could not understand the text
The human user is required to enter the text correctly to move onto the next step of the interface or web site
About HIPs/CAPTCHAs People without any impairments may
have problems with solving visual CAPTCHAs, but blind people cannot solve any visual CAPTCHAs
While the distortion is needed to make the HIP secure, it causes problems for most people, regardless of impairment
Human interaction proofs often become tests of vision quality, NOT who is a human
Audio HIPs
Visual HIPs (such as CAPTCHAs) are inherently inaccessible for blind users
So developers have worked on building audio HIPs
These audio HIPs often include letters and numbers, or words, using computer synthesized speech, with lots of background distortion
The audio HIP is a separate track, a separate tool from a visual HIP
Audio HIPs Audio HIPs, even though they
technically may work for blind users, tend to have low success rates
A large amount of distortion must be added to the audio clips so that automated tools can’t easily identify them
This makes the audio HIPs very hard to solve
Audio HIPs
There are also usability issues in the way that audio HIPs are presented
For instance, while an audio clip is being played, there may be background sounds from the screen reader
Also, the user has to quickly move to the edit box and try and remember all of the letters and numbers that they heard
Audio HIPs typically have only 40-50% success rates among blind users
(Sauer et. al, 2009; Bigham et. al. 2009)
Audio HIPs Bigham et. al. 2009 found that if you
change the way that the audio clip is presented on the screen (e.g. allow for the user to start and stop the clip in the middle), but keep the same audio clip, their users increased the success rate from 42% to 68%
While 68% is an improvement, it’s still not the 90% human success rate that is the goal of human interaction proofs
New approaches to HIPs The concept of a HIP is important, and
needed, and will be needed for a while Even those HIPs only stop approx. 1/3
of viruses and bots, they will continue to be used
It’s important to create more accessible HIPs that work for users with impairments, especially blind users
HIPUU: A New Approach
A team of researchers at Towson University created HIPUU (Human Interaction Proof, Universally Usable)
HIPUU consists of pairs of non-textual images and sounds
Rather than using distortion, HIPUU uses pictures/sounds that are easy for humans to recognize, but harder for image and speech recognition to recognize
The goal is to build a HIP that all can use
HIPUU: A New Approach
The image/sound combinations include animals, weather, musical instruments, and other sounds
Example: humans are much better than computers at recognizing the many different sounds a dog makes
Humans can choose either the image, the sound clip, or both, and then enter the textual description of the object
Recent version of HIPUU
Users receive different combinations each time
Easier to remember and type in, compared to random text strings
Free-text entry 3 or 4 objects Spelling errors and
synonyms are allowed (using standard InfoSci techniques)
Current research on HIPUU Both blind and visual users had over 90%
success rate Users reported high levels of satisfaction The free-text entry was found to be
superior to previous research with pull-down menus
The HIPUU interface has also been evaluated for security and robustness
Evaluation still needs to be done with deaf users and users with spinal cord injuries
Biometrics Biometrics, in general, should work for
blind people as well as it works for people with full vision
Fingerprints and voice recognition are no problem: however, the system will need to provide accessible prompts to blind users on what to say, or where to place their finger
Iris/retina scanning: not effective for most blind users, since they may have a glass eye, eyelids unable to open, or there may be deformities or atrophy in the eyes
How do blind users enter private data?
If there are multiple fields that must be entered for authentication (such as login, password, and security question), understand that blind users will be tabbing through those fields, NOT using a mouse (Murphy et. al. 2008)
Sometimes, blind users can be unsure if they are entering their data in the correct edit box (Murphy et. al. 2008)
Entering private data
Make sure that all form fields are properly labeled and the tabbing order is properly noted (Lazar et. al. 2007)
Blind users tend to feel apprehensive about entering credit card data into a web site, since it is often hard to determine whether a site is secure or credible through audio means (Holman et. al, 2008; Murphy et. al. 2008)
Entering private data
In extreme circumstances, when blind users are having trouble understanding the navigation scheme on the web page, they may close the browser and re-launch, to find what they are looking for (Murphy et. al. 2008)
While they could ask other humans for help, they don’t want to share private information
Calling a phone number for help is an absolute last resort
Assistive Technology isn’t perfect!
Consider that there are often conflicts with various assistive technology and operating systems, software applications, and web sites (Harris, 2006
Screen readers are well-known to have conflicts and crashes (Lazar et. al. 2007)
You may need to provide alternate methods for attempting a task
Are login screens the worst part?
Some studies have noted that login screens on online learning software, and on social networking sites, are not accessible for blind users (Meiselwitz and Lazar, 2009)
There is often the argument that, if a login page isn’t accessible, it is meaningless if the rest of the site is, because blind users won’t be able to get to those portions of the web site.
However, an inaccessible login page doesn’t necessarily mean that the entire site is inaccessible.
Anti-virus software To some extent, blind users are more
susceptible to viruses and spyware As previously mentioned, it’s hard to get
a computer setup working 100% properly with assistive technology, so once it’s working properly, people are less likely to upgrade other software components
This means that anti-virus software isn’t always updated, software patches aren’t always installed (Holman et. al., 2008)
Anti-virus software
The truth is that sometimes, the security companies are to blame
There have been multiple reports saying that newer versions of certain anti-virus software is inaccessible, so blind users may not update to newer versions
Also, all of the various features and widgets on a screen, which may provide useful information on credibility or security of a web site, are not always available to screen readers
Software is not always up-to-date
Because all of the same contextual information on a screen isn’t available to blind users, they may download items that they shouldn’t, or not be aware of updated patches that they need, or they may not receive warning messages
Or newer, more secure versions of software may not be installed, because there are compatibility problems
Anti-spam software Spam e-mail is also a problem for blind
users Inappropriate spam e-mail can be
embarrassing when read out loud There is also a large time cost in listening
to lots of spam e-mail. Most blind users tend to use spam filters
and have very high levels of filtering (Wentz et. al. 2010, and Lazar et. al 2005)
There are many e-mails that do not reach blind users because they are caught by spam filtering
Other security-related concerns Automatic time-outs (where, after a
certain period of inactivity, the user is logged out), can sometimes be a problem
Blind users need to be given accessible notification that without further activity, they will automatically be logged out
The problem isn’t that blind users take any longer (in fact, there is evidence to the contrary), but that the notification of time left until auto-logout may not be accessible
Suggestions for designers Make sure that all security-related
features are accessible Test all security-related features
with screen readers Make sure that notifications on the
screen will be read by screen readers
Involve blind users in the development process