editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
Accessibility and usability are important across the software industry, including security. Throughout this book we have assumed that you are able to implement any recommendations in an accessible way. This could mean setting up assistive technologies and tools, and/or using an adaptive strategy during rollout.
That is quite a big assumption to make, especially since some software security features have ways to go before they are accessible and usable by everyone. Often, the paths users follow that involve security, like logging in with a password or using 2FA, are created without considering users with disabilities. They have been created without considering accessibility for years. Back in 2000 the National Federation of the Blind sued AOL because their ATMs and online banking could only be used with the help of a sighted person. In 2012, my co-author Laura performed field research with Britta Offergeld and the Royal New Zealand Foundation of the Blind to evaluate how effective common security advice is for those with visual impairments, and they came back with a raft of improvements and possible solutions that needed to be made.
Things are slowly changing, with big software providers being held to account when they deploy features that are not accessible. For example, LastPass is one of the larger password manager software providers out there, and for years the visually impaired community has commented in forums and social media about how inaccessible their software was. In May 2021, LastPass finally released multiple accessibility features, which are a few good steps in the right direction.
This improvement does not mean that they are closer to solving the problem of accessibility, but they have considered accessibility requirements an important part of their software.
Software is always changing, and sometimes new features that improve the user experience for some may negatively affect others. Software is also always evolving to incorporate new technology or ways of living. Accessibility, much like security, isn’t a one-and-done problem to solve. It is a key part of building good software, and it all starts from the software users sharing their feedback and voice, and the software makers prioritizing the needs of the users they serve.
This chapter highlights additional resources and experts that can help you and your employees use the security advice in this book in an accessible way. To get started, let’s define the different concepts of accessibility, usability, and inclusion.
If you are in the software business, the accessibility of software features won’t be new to you. You may have had to answer support tickets or sales objections that relate to how well your software supports users with different accessibility needs. For the rest of you, you may only be familiar with these issues if it is something that has had a direct impact on you or those close to you.
The Web Accessibility Initiative defines Web accessibility to mean that people with disabilities “can equally perceive, understand, navigate, and interact with websites and tools.” Web usability is about “designing products to be effective, efficient, and satisfying.” These two concepts can be very closely related if usability considers users with disabilities as part of their scope.
Usable security can look like different things for different people. Accessibility breaks down into five categories:
Sight
Hearing
Cognitive
Physical
Speaking
Usable security can also be expanded to be inclusive of other groups, not just those with disabilities but those who are neurodiverse too. It can also include people with age-related disabilities, temporary or permanent damage from accidents, digital accessibility and knowledge gaps, and language barriers.
For those with different technical abilities and needs, a password storage solution could be using a journal that is kept locked up in a drawer at home to house all their account passwords rather than a password manager. For those living in rural locations with no cellular coverage, it could mean never opting in for SMS-based 2FA and always going for a one-time password that can be accessed over the internet (like through Authy or your password manager).
Now that we are clear on the different accessibility and inclusion needs and how that impacts the usability of security features, let’s look at some tips around usable software.
Those of us who build software have a responsibility to our customers to create accessible and usable software. This includes any security features or flows that we build—like the flow users take to log in, the masking of data entered into sensitive fields, the use of CAPTCHA to stop automated bots, the 2FA options we have available, or the third-party overlay software we allow interactions with. We know our customers best, and it is up to us to make sure it is inclusive and usable by all of them.
Including accessibility as part of your engineering practices is not just important, but also beneficial. When providing customers security features, your aim is to reduce the amount of incidents or negative security impacts your customers face and to ultimately help them feel like their data and account with your software is safe. If those features can’t be used by a part of your customer base because their needs and abilities were not considered, there will be a high barrier to entry and a low uptake of those features. So while you can pat yourself on the back for finally launching 2FA, the value you and your customers get from it will be lower. You can’t be surprised when you still have a high number of support tickets asking about 2FA or account takeover when the options provided are not usable.
The Web Content Accessibility Guidelines (WCAG) by W3C is the main international standard when it comes to accessibility. It covers guidelines for the four key principles of web accessibility: making your software perceivable, operable, understandable, and robust for people with different abilities. These guidelines are a great place to start, and the W3C website is chock-full of other supporting guides and resources to start learning more about improving the accessibility of your software. Another great source of information is section508.gov, which stems from Section 508 of the US’s Rehabilitation Act. It was made to provide guidance to those who are responsible for technology accessibility and is full of lots of advice, even outside of just pure software development.
Next, we will want to assess where your software is at when compared against guidelines like WCAG. The A11Y Project is a community-run, open-source effort to make web accessibility easier for software development teams. They provide checklists to help organizations assess their own WCAG compliance, as well as a list of resources if you want some additional or professional support. Their resource list also includes some tools you can use to automate your self-assessment, but we highly recommend getting help from a professional who can provide an in-depth human assessment and can consider the context and details of your customer personas.
It can be overwhelming to read through the recommendations from WCAG and figure out what needs to be done and what is most important. Getting professional support means having someone help you sort through all the advice and redesign your software development roadmap in a way that considers your goals and your users’ accessibility needs.
It can help to also be transparent about how you and your organization handle the accessibility of your software. For example, Duo, who provide a popular multi-factor authentication software product, have an accessibility page that outlines what they have done and the best products or configurations to use depending on the user’s needs. Similar to how we should strive to be transparent in how we handle data in our privacy policy, an accessibility page can help your customers understand that you aim to make an accessible and inclusive product, and will be transparent about what steps you have taken.
Let’s now look at different resources that can help you or your team build a strong accessibility foundation.
I am lucky to know some fantastic people in the cybersecurity community who do a lot for accessible and usable security. One of those people is Britta Offergeld, who has spent a good part of her career working and supporting others in this area. Thanks to Britta, I have some great starting points, tips, and resources to share for those that need additional support getting you, your teams, and your businesses set up securely. Although some organizations and links I share might be New Zealand-specific, I will try and give you enough information so you can search for similar organizations in your local area or country.
Online or regional community groups are a great place to start when it comes to picking software or technology that best suits your abilities.
There are country-wide or regional groups that provide support to specific impairment groups, like Deaf Aotearoa (an organization that provides services to the deaf community in New Zealand) or Blind Low Vision NZ (an organization that provides services to the blind and low-vision communities in New Zealand). Groups like these may have resources or community networks they can point you to in order to get advice on software, technology, and security. They also may have assistive technology advisors or trainers on-hand that they can recommend if you want to get professional support.
There are also online community groups, such as AppleVis (a leading resource for blind and low-vision users of Apple products) and various subreddits on Reddit. Sharing experiences and getting advice directly from others with similar abilities is the best way to get support. In this book we can recommend all the different accounts that you should keep protected in your password manager and how you can effectively use it with your team, and these communities can help you find the best password manager that works best with any assistive technology or strategies you use.
Another way to get support is to ask a professional. Assistive technology advisors and trainers are professionals who specialize in helping those with disabilities. If you can’t find these advisors and trainers through your country or regional groups, you can check out directories like the member directory for the Assistive Technology Industry Association (ATIA). Their members provide a range of different support services, including support for assistive technology and tools.
We collected the resources we went through above, as well as a few others recommended by myself and accessibility experts. We aim to keep this section updated and growing, and if there are any resources that have been valuable to you in the past we would love to hear about them.
resourcesFurther readings on community groups:
National Association of the Deaf resources (US based)
Blind Low Vision NZ technology resources (NZ based)
American Foundation for the Blind accessibility resources (US based)
AppleVis community for blind and low-vision users of Apple products (Global)
Further readings on accessibility guidelines and checklists:
W3C’s WCAG guidelines for recommendations on making web content more accessible (Global)
W3C’s fundamentals and guides on understanding what web accessibility means (Global)
Section508.gov for policy, guidelines, and recommendations relating to the USA’s Section 508 of the Rehabilitation Act (US based)
A11Y Project checklists and resources for all things on WCAG compliance (Global)
Further readings on professional support: