Broken Access: On the Challenges of Screen Reader Assisted Two-Factor and Passwordless Authentication

Download PDF

Md Mojibur Rahman Redoy Akanda, Ahmed Tanvir Mahdad, Nitesh Saxena

Published: 29 Jan 2025, Last Modified: 29 Jan 2025WWW 2025 OralEveryoneRevisionsBibTeXCC BY 4.0
Track: Security and privacy
Keywords: Screen Reader Assisted Authentication, 2FA/MFA Accessibility, Blind User Security, Accessible Authentication Vulnerabilities
Abstract: In today's technology-driven world, web services have opened up new opportunities for blind and visually impaired people to interact independently. Securing interactions with these services is crucial; however, currently deployed methods of web authentication mainly concentrate on sighted users, overlooking the specific needs of the blind and visually impaired community. In this paper, we address this critical gap by investigating the security and accessibility aspects of these web authentication methods when adopted by blind and visually impaired users. We model web authentication for such users as screen reader assisted authentication and introduce an evaluation framework called Authentication Workflows Accessibility Review and Evaluation (AWARE). Using AWARE, we then systematically assessed popular PC-based and smartphone-based screen readers against different types of deployed web authentication methods, including variants of 2FA and passwordless schemes, to simulate real-world scenarios for blind and visually impaired individuals. We analyzed these screen reader assisted authentication interactions with authentication methods in three settings: using a terminal (PC) with screen readers, a combination of the terminal (PC) and smartphone with screen readers, and smartphones with integrated screen readers. The results of our study underscore significant weaknesses in all of our observed screen reader assisted authentication scenarios for real-life authentication methods. These weaknesses, encompassing specific accessibility issues caused by imprecise screen reader instructions, highlight vulnerability concerning observed scenarios for both real-world and research literature based attacks, including phishing, concurrency, fatigue, cross-service, and shoulder surfing. Broadly, our AWARE framework can be used by authentication system designers as a precursor to user studies which are typically time-consuming and tedious to perform, independently allowing to unfold security and accessibility problems early which designers can address prior to full-fledged user testing of more isolated issues.
Submission Number: 1209

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview