SlideShare a Scribd company logo

Making FIDO Deployments Accessible for All Users

Download as PPTX, PDF
F
FIDO Alliance

Webinar: Making FIDO Deployments Accessible to Users with Disabilities

Technology
1 of 38
Making FIDO Deployments Accessible to Users with Disabilities Yao Ding, Meta Joyce Oshita, Vmware FIDO Consumer Deployment Working Group (CDWG), Chaired by Max Hata, NTT DOCOMO Dec 15, 2022
2 © FIDO Alliance 2022 Adding a security key with a screen reader
3 © FIDO Alliance 2022 Agenda 01 Why Accessibility Matters 02 Screen Reader Demo 03 Potential Barriers in Authentication for Users with Disabilities 04 Legal Framework for Accessible Authentication 05 Current Models of Accessible FIDO Authentication 06 Q&A
4 © FIDO Alliance 2022 4 © FIDO Alliance 2021 Why Accessibility Matters?
5 © FIDO Alliance 2022 16% World’s population experience significant disability. Source: World Health Organization
6 © FIDO Alliance 2022 1.3 billion World’s population experience significant disability. Source: World Health Organization
7 © FIDO Alliance 2022 1 in 6 World’s population experience significant disability. Source: World Health Organization
8 © FIDO Alliance 2022 Disability is a mismatch between the person and their environment.
9 © FIDO Alliance 2022 Cognitive & Learning Difficultyreading Difficultywriting Memory loss Following plans Staying focused Mental disorders Neurodivergence Speech & Language Speech loss Speaking loud enough Being understood Focusing on speaker Understanding language Physical Limb loss Weakness Limited reach Tremor or Palsy Holding things steadily Getting tired quickly Vision Blindness Low vision Visual field loss Color blindness Loss of depth perception Hearing Deafness Muffled sounds Hearing with one ear Other sounds get in the way
10 © FIDO Alliance 2022 Cognitive & Learning Spelling Check Grammar Check Simplified Language Simplified Workflow Less Visual Density Prompts Notifications Speech & Language AAC Device / Software Speech Synthesis Physical Switches & Sensors Keyboards Alternative Input Devices Voice Control Macros/Shortcuts Eye-Gaze Vision Font Resizing Magnification High Contrast Color Filters Shapes & Symbols Screen Readers Text-to-Speech Audio Description Hearing Real-Time Text Sound Amplification Mono Audio Captions Visual alerts Text chat Video Calling (ASL) Assistive Technology
11 © FIDO Alliance 2022 11 © FIDO Alliance 2021 Screen Reader Demo by Joyce
12 © FIDO Alliance 2022
13 © FIDO Alliance 2022 Navigating with a screen reader
14 © FIDO Alliance 2022 Accessible form
15 © FIDO Alliance 2022 Accessible FIDO ceremony
Potential Access Barriers in Authentication
17 © FIDO Alliance 2022 Visual · Entering password if UI is not fully accessible (e.g. missing labels, not keyboard controllable) · Vulnerable to shoulder-surfing or peeping · Eye conditions (e.g. cataracts, macular degeneration) affecting iris or retinal recognition · Positioning for facial recognition · Reading a one-time code on a small, non-backlit display
18 © FIDO Alliance 2022 Physical · Any method that relies on moving a mouse, pen, or finger steadily · Reaching or accurately targeting small security keys or keys with small or depressed active touch areas · Typing on a keyboard, drawing a pattern · Manipulating a token, inserting a security key · Longer transaction time – susceptible to shoulder surfing or peeping · Biometric scan due to loss of physiological characteristics (e.g. digit amputation, disease preventing development of fingerprints) · Fingerprint scan due to dry skin
19 © FIDO Alliance 2022 Cognitive & Learning · Remembering passwords / challenge-response / pattern gestures · Understanding and following multiple steps of setting up / changing passwords · Having issues with social judgement, gullibility, a lack of awareness – susceptible to fraud and exploitation
20 © FIDO Alliance 2022 Hearing · Challenge-response where challenge is presented in audio form · Voice/speaker recognition
21 © FIDO Alliance 2022 Speech & Language · Voice/speaker recognition
22 © FIDO Alliance 2022 Mapping Between Auth Methods & Disabilities
Legal Framework for Accessible Authentication
24 © FIDO Alliance 2022 27% * Of the constitutions of the 193 UN member states guarantee equality or nondiscrimination on the basis of disability. * Derived from data obtained from World Policy Analysis Center.
25 © FIDO Alliance 2022 Global Accessibility Laws Disability Rights Laws · Americans with Disabilities Act · European Accessibility Act · Accessible Canada Act · … Public Procurement Standards · Section 508 of the Rehabilitation Act · EN 301 549
26 © FIDO Alliance 2022 WCAG Web Content Accessibility Guidelines * Widely adopted / referenced * Adapted to cover various forms thanks to its technology-agnostic language
27 © FIDO Alliance 2022 Baking In Accessibility Maintain Ship Validate Develop Design Plan A11y User Research Gather User Feedback A11y Backlog Review A11y Audit Product Reqs Doc A11y Design Specs UX/UI Mocks A11y Design Systems PwD User Stories QA Testing A11y Framework & Components Research Validation User Studies Internal Testing A11y Expert Review A11y Readiness Review A11y QA Smoke Test A11y User Support A11y Bug Report
28 © FIDO Alliance 2022 WCAG 3.3.7 Accessible Authentication · New guideline proposed for WCAG 2.2 A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following: • Alternative – another authentication method that does not rely on a cognitive function test • Mechanism – a mechanism is available to assist the user in completing the cognitive function test • Object Recognition – the cognitive function test is to recognize objects • Personal Content – the cognitive function test is to identify non-text content the user provided A task that requires the user to remember, manipulate, or transcribe information · Examples of sufficient techniques · Allow for password managers · Allow for copying/pasting passwords · Email link authentication · Use WebAuthn · Use OAuth · Use two techniques to provide 2FA
Current Models of Accessible FIDO Authentication Accessible Deployment of WebAuthn and UAF
30 © FIDO Alliance 2022 WebAuthn – Responsibility Model & Accessible Deployment Users User Agents RP’s Apps incl. Auth Users choose user agents supporting authenticators they are able to use. User agent developers ensure compatibility between user agents and WebAuthn. RPs ensure applications are compatible with user agents that support WebAuthn. RPs create accessible UX. RPs conform to WCAG 3.3.7. When providing hardware, RPs enable users to choose authenticators accessible to them. If no option is accessible, provide alternative authentication means.
31 © FIDO Alliance 2022 UAF – Responsibility Model & Accessible Deployment RPs should adopt the following recommendations for UAF policy control: 1. Mobile apps should always allow phone-unlocking authentication as an option. 2. Mobile apps should allow silent authentication as much as is feasible. 3. Phone-unlocking authentication should be allowed as a fallback/substitute for less secure modalities. 4. When the mobile app requires one biometric authentication, the mobile app must provide two or more biometric options requiring different physiological characteristics. 5. When the mobile app requires more than one (N) biometric authentication modality, the mobile app must provide at least N+1 biometric options requiring different physiological characteristics.
32 © FIDO Alliance 2022 Principles of Deploying Accessible Authentications Principle #1: RPs should design and implement authentication user interfaces and training materials to meet WCAG (Web Content Accessibility Guidelines) Level AA. Conduct user testing with users with various types and degrees of disabilities. Rationale: RPs can make user interfaces before, during, and after the authentication process more accessible by meeting WCAG Level AA and by engaging users with disabilities in user testing.
33 © FIDO Alliance 2022 Principles of Deploying Accessible Authentications Principle #2: When implementing WebAuthn, RPs should not discriminate based on authentication modalities. Non-discriminating WebAuthn would automatically pass WCAG 3.3.7 Accessible Authentication. Rationale: As described in the WebAuthn Responsibility Model, the onus is on end users to choose user agents with authenticators they are able to use, and the onus is on user agent developers and WebAuthn working group to ensure compatibility between user agents and WebAuthn. An RP’s responsibility in implementing WebAuthn is to ensure WebAuthn does not discriminate based on authentication modalities.
34 © FIDO Alliance 2022 Principles of Deploying Accessible Authentications Principle #3: When implementing UAF, RPs should comply with the guidelines described in the UAF Responsibility Model. Rationale: RPs are able to choose which authentication modalities are provided via UAF and allow users to choose modalities. Given the extra flexibility, RPs should take some important factors into considerations, including the use of phone-unlocking authenticator as fallback, the use of silent authentication, and requiring one or more than one modalities of biometric authentication.
35 © FIDO Alliance 2022 FIDO UI Kit Accessible components · Accordion · Animations · Buttons · Checkbox · Form Fields · Iconography · Illustrations · Journeys
Call to Action
37 © FIDO Alliance 2022 · Start the conversation · Test accessibility by experts · Test accessibility with users with disabilities · Refer to the White Paper · Legal framework for accessible authentication · Accessible deployment of WebAuthn and UAF · Accessibility training · IAAP (International Association of Accessibility Professionals) · Section 508 Trusted Tester · W3C Accessibility Training Resources
38 © FIDO Alliance 2021 Thank You!

Recommended

Preparing an Effective BYOD or Mobility Strategy
Preparing an Effective BYOD or Mobility StrategyPreparing an Effective BYOD or Mobility Strategy
Preparing an Effective BYOD or Mobility StrategyLogicalis Australia
 
The FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and NewsThe FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and NewsFIDO Alliance
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionFIDO Alliance
 
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance
 
Mobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA PresentationMobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA PresentationFIDO Alliance
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDOFIDO Alliance
 
Authentication and ID Proofing in Education
Authentication and ID Proofing in EducationAuthentication and ID Proofing in Education
Authentication and ID Proofing in EducationFIDO Alliance
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDOFIDO Alliance
 

Recommended

Preparing an Effective BYOD or Mobility Strategy
Preparing an Effective BYOD or Mobility StrategyPreparing an Effective BYOD or Mobility Strategy
Preparing an Effective BYOD or Mobility StrategyLogicalis Australia
 
The FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and NewsThe FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and NewsFIDO Alliance
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionFIDO Alliance
 
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance
 
Mobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA PresentationMobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA PresentationFIDO Alliance
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDOFIDO Alliance
 
Authentication and ID Proofing in Education
Authentication and ID Proofing in EducationAuthentication and ID Proofing in Education
Authentication and ID Proofing in EducationFIDO Alliance
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDOFIDO Alliance
 
1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptxssuserc1c6091
 
BYOD - What Every CFO Needs To Know
BYOD - What Every CFO Needs To KnowBYOD - What Every CFO Needs To Know
BYOD - What Every CFO Needs To KnowKirill Bensonoff
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comFIDO Alliance
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressFIDO Alliance
 
Development of a Multi-eID access control system.
Development of a Multi-eID access control system. Development of a Multi-eID access control system.
Development of a Multi-eID access control system. ePractice.eu
 
Internet of Everything for Marketers
Internet of Everything for MarketersInternet of Everything for Marketers
Internet of Everything for MarketersRashish Pandey
 
Forms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignForms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignDianaGray10
 
Hitting a moving target: achieving mobile inclusion
Hitting a moving target: achieving mobile inclusionHitting a moving target: achieving mobile inclusion
Hitting a moving target: achieving mobile inclusionJon Gibbins
 
2019 FIDO Seoul Seminar - Moving Beyond Passwords
2019 FIDO Seoul Seminar - Moving Beyond Passwords2019 FIDO Seoul Seminar - Moving Beyond Passwords
2019 FIDO Seoul Seminar - Moving Beyond PasswordsFIDO Alliance
 
Portable Biometrics (1)
Portable Biometrics (1)Portable Biometrics (1)
Portable Biometrics (1)Torrey Hutchison
 
FIDO Alliance Webinar: Intuit's Journey with FIDO Authentication
FIDO Alliance Webinar: Intuit's Journey with FIDO AuthenticationFIDO Alliance Webinar: Intuit's Journey with FIDO Authentication
FIDO Alliance Webinar: Intuit's Journey with FIDO AuthenticationFIDO Alliance
 
Challenges with VPATs
Challenges with VPATsChallenges with VPATs
Challenges with VPATsInteractive Accessibility
 
Startup InsurTech Award - iCede
Startup InsurTech Award - iCedeStartup InsurTech Award - iCede
Startup InsurTech Award - iCedeThe Digital Insurer
 
IRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET Journal
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions 3Play Media
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
 
Augmate connect_Deck
Augmate connect_DeckAugmate connect_Deck
Augmate connect_DeckEtheralabs
 
Augmate connect deck
Augmate connect deckAugmate connect deck
Augmate connect deckEtheralabs
 
Wp byod
Wp byodWp byod
Wp byodJ
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO AllianceFIDO Alliance
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptxFIDO Alliance
 
CISA - More Than A Password.pptx
CISA - More Than A Password.pptxCISA - More Than A Password.pptx
CISA - More Than A Password.pptxFIDO Alliance
 

More Related Content

Similar to Making FIDO Deployments Accessible for All Users

1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptxssuserc1c6091
 
BYOD - What Every CFO Needs To Know
BYOD - What Every CFO Needs To KnowBYOD - What Every CFO Needs To Know
BYOD - What Every CFO Needs To KnowKirill Bensonoff
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comFIDO Alliance
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressFIDO Alliance
 
Development of a Multi-eID access control system.
Development of a Multi-eID access control system. Development of a Multi-eID access control system.
Development of a Multi-eID access control system. ePractice.eu
 
Internet of Everything for Marketers
Internet of Everything for MarketersInternet of Everything for Marketers
Internet of Everything for MarketersRashish Pandey
 
Forms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignForms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignDianaGray10
 
Hitting a moving target: achieving mobile inclusion
Hitting a moving target: achieving mobile inclusionHitting a moving target: achieving mobile inclusion
Hitting a moving target: achieving mobile inclusionJon Gibbins
 
2019 FIDO Seoul Seminar - Moving Beyond Passwords
2019 FIDO Seoul Seminar - Moving Beyond Passwords2019 FIDO Seoul Seminar - Moving Beyond Passwords
2019 FIDO Seoul Seminar - Moving Beyond PasswordsFIDO Alliance
 
FIDO Alliance Webinar: Intuit's Journey with FIDO Authentication
FIDO Alliance Webinar: Intuit's Journey with FIDO AuthenticationFIDO Alliance Webinar: Intuit's Journey with FIDO Authentication
FIDO Alliance Webinar: Intuit's Journey with FIDO AuthenticationFIDO Alliance
 
IRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET Journal
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions 3Play Media
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
 
Augmate connect_Deck
Augmate connect_DeckAugmate connect_Deck
Augmate connect_DeckEtheralabs
 
Augmate connect deck
Augmate connect deckAugmate connect deck
Augmate connect deckEtheralabs
 
Wp byod
Wp byodWp byod
Wp byodJ
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO AllianceFIDO Alliance
 

Similar to Making FIDO Deployments Accessible for All Users (20)

1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx
 
BYOD - What Every CFO Needs To Know
BYOD - What Every CFO Needs To KnowBYOD - What Every CFO Needs To Know
BYOD - What Every CFO Needs To Know
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome Address
 
Development of a Multi-eID access control system.
Development of a Multi-eID access control system. Development of a Multi-eID access control system.
Development of a Multi-eID access control system.
 
Internet of Everything for Marketers
Internet of Everything for MarketersInternet of Everything for Marketers
Internet of Everything for Marketers
 
Forms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignForms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App Design
 
Hitting a moving target: achieving mobile inclusion
Hitting a moving target: achieving mobile inclusionHitting a moving target: achieving mobile inclusion
Hitting a moving target: achieving mobile inclusion
 
2019 FIDO Seoul Seminar - Moving Beyond Passwords
2019 FIDO Seoul Seminar - Moving Beyond Passwords2019 FIDO Seoul Seminar - Moving Beyond Passwords
2019 FIDO Seoul Seminar - Moving Beyond Passwords
 
Portable Biometrics (1)
Portable Biometrics (1)Portable Biometrics (1)
Portable Biometrics (1)
 
FIDO Alliance Webinar: Intuit's Journey with FIDO Authentication
FIDO Alliance Webinar: Intuit's Journey with FIDO AuthenticationFIDO Alliance Webinar: Intuit's Journey with FIDO Authentication
FIDO Alliance Webinar: Intuit's Journey with FIDO Authentication
 
Challenges with VPATs
Challenges with VPATsChallenges with VPATs
Challenges with VPATs
 
Startup InsurTech Award - iCede
Startup InsurTech Award - iCedeStartup InsurTech Award - iCede
Startup InsurTech Award - iCede
 
IRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in InsuranceIRJET - BI: Blockchain in Insurance
IRJET - BI: Blockchain in Insurance
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
 
Augmate connect_Deck
Augmate connect_DeckAugmate connect_Deck
Augmate connect_Deck
 
Augmate connect deck
Augmate connect deckAugmate connect deck
Augmate connect deck
 
Wp byod
Wp byodWp byod
Wp byod
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
 

More from FIDO Alliance

Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptxFIDO Alliance
 
CISA - More Than A Password.pptx
CISA - More Than A Password.pptxCISA - More Than A Password.pptx
CISA - More Than A Password.pptxFIDO Alliance
 
Workshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptxWorkshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptxFIDO Alliance
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...
OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...
OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...FIDO Alliance
 
Solving the IoT Challenge
Solving the IoT ChallengeSolving the IoT Challenge
Solving the IoT ChallengeFIDO Alliance
 
FIDO: The Value of Certification
FIDO: The Value of CertificationFIDO: The Value of Certification
FIDO: The Value of CertificationFIDO Alliance
 
The State of Strong Authentication
The State of Strong AuthenticationThe State of Strong Authentication
The State of Strong AuthenticationFIDO Alliance
 
Webinar: Considerations for Deploying FIDO in the Enterprise
Webinar: Considerations for Deploying FIDO in the EnterpriseWebinar: Considerations for Deploying FIDO in the Enterprise
Webinar: Considerations for Deploying FIDO in the EnterpriseFIDO Alliance
 
Ask FIDO About Anything: Certification
Ask FIDO About Anything: CertificationAsk FIDO About Anything: Certification
Ask FIDO About Anything: CertificationFIDO Alliance
 

More from FIDO Alliance (11)

Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptx
 
CISA - More Than A Password.pptx
CISA - More Than A Password.pptxCISA - More Than A Password.pptx
CISA - More Than A Password.pptx
 
Workshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptxWorkshop-Demo Breakdown.pptx
Workshop-Demo Breakdown.pptx
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptx
 
OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...
OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...
OTIS - Our Journey to Passwordless: Secure Authn & Frictionless User Experien...
 
Solving the IoT Challenge
Solving the IoT ChallengeSolving the IoT Challenge
Solving the IoT Challenge
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
FIDO: The Value of Certification
FIDO: The Value of CertificationFIDO: The Value of Certification
FIDO: The Value of Certification
 
The State of Strong Authentication
The State of Strong AuthenticationThe State of Strong Authentication
The State of Strong Authentication
 
Webinar: Considerations for Deploying FIDO in the Enterprise
Webinar: Considerations for Deploying FIDO in the EnterpriseWebinar: Considerations for Deploying FIDO in the Enterprise
Webinar: Considerations for Deploying FIDO in the Enterprise
 
Ask FIDO About Anything: Certification
Ask FIDO About Anything: CertificationAsk FIDO About Anything: Certification
Ask FIDO About Anything: Certification
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Making FIDO Deployments Accessible for All Users

  • 1. Making FIDO Deployments Accessible to Users with Disabilities Yao Ding, Meta Joyce Oshita, Vmware FIDO Consumer Deployment Working Group (CDWG), Chaired by Max Hata, NTT DOCOMO Dec 15, 2022
  • 2. 2 © FIDO Alliance 2022 Adding a security key with a screen reader
  • 3. 3 © FIDO Alliance 2022 Agenda 01 Why Accessibility Matters 02 Screen Reader Demo 03 Potential Barriers in Authentication for Users with Disabilities 04 Legal Framework for Accessible Authentication 05 Current Models of Accessible FIDO Authentication 06 Q&A
  • 4. 4 © FIDO Alliance 2022 4 © FIDO Alliance 2021 Why Accessibility Matters?
  • 5. 5 © FIDO Alliance 2022 16% World’s population experience significant disability. Source: World Health Organization
  • 6. 6 © FIDO Alliance 2022 1.3 billion World’s population experience significant disability. Source: World Health Organization
  • 7. 7 © FIDO Alliance 2022 1 in 6 World’s population experience significant disability. Source: World Health Organization
  • 8. 8 © FIDO Alliance 2022 Disability is a mismatch between the person and their environment.
  • 9. 9 © FIDO Alliance 2022 Cognitive & Learning Difficultyreading Difficultywriting Memory loss Following plans Staying focused Mental disorders Neurodivergence Speech & Language Speech loss Speaking loud enough Being understood Focusing on speaker Understanding language Physical Limb loss Weakness Limited reach Tremor or Palsy Holding things steadily Getting tired quickly Vision Blindness Low vision Visual field loss Color blindness Loss of depth perception Hearing Deafness Muffled sounds Hearing with one ear Other sounds get in the way
  • 10. 10 © FIDO Alliance 2022 Cognitive & Learning Spelling Check Grammar Check Simplified Language Simplified Workflow Less Visual Density Prompts Notifications Speech & Language AAC Device / Software Speech Synthesis Physical Switches & Sensors Keyboards Alternative Input Devices Voice Control Macros/Shortcuts Eye-Gaze Vision Font Resizing Magnification High Contrast Color Filters Shapes & Symbols Screen Readers Text-to-Speech Audio Description Hearing Real-Time Text Sound Amplification Mono Audio Captions Visual alerts Text chat Video Calling (ASL) Assistive Technology
  • 11. 11 © FIDO Alliance 2022 11 © FIDO Alliance 2021 Screen Reader Demo by Joyce
  • 12. 12 © FIDO Alliance 2022
  • 13. 13 © FIDO Alliance 2022 Navigating with a screen reader
  • 14. 14 © FIDO Alliance 2022 Accessible form
  • 15. 15 © FIDO Alliance 2022 Accessible FIDO ceremony
  • 16. Potential Access Barriers in Authentication
  • 17. 17 © FIDO Alliance 2022 Visual · Entering password if UI is not fully accessible (e.g. missing labels, not keyboard controllable) · Vulnerable to shoulder-surfing or peeping · Eye conditions (e.g. cataracts, macular degeneration) affecting iris or retinal recognition · Positioning for facial recognition · Reading a one-time code on a small, non-backlit display
  • 18. 18 © FIDO Alliance 2022 Physical · Any method that relies on moving a mouse, pen, or finger steadily · Reaching or accurately targeting small security keys or keys with small or depressed active touch areas · Typing on a keyboard, drawing a pattern · Manipulating a token, inserting a security key · Longer transaction time – susceptible to shoulder surfing or peeping · Biometric scan due to loss of physiological characteristics (e.g. digit amputation, disease preventing development of fingerprints) · Fingerprint scan due to dry skin
  • 19. 19 © FIDO Alliance 2022 Cognitive & Learning · Remembering passwords / challenge-response / pattern gestures · Understanding and following multiple steps of setting up / changing passwords · Having issues with social judgement, gullibility, a lack of awareness – susceptible to fraud and exploitation
  • 20. 20 © FIDO Alliance 2022 Hearing · Challenge-response where challenge is presented in audio form · Voice/speaker recognition
  • 21. 21 © FIDO Alliance 2022 Speech & Language · Voice/speaker recognition
  • 22. 22 © FIDO Alliance 2022 Mapping Between Auth Methods & Disabilities
  • 23. Legal Framework for Accessible Authentication
  • 24. 24 © FIDO Alliance 2022 27% * Of the constitutions of the 193 UN member states guarantee equality or nondiscrimination on the basis of disability. * Derived from data obtained from World Policy Analysis Center.
  • 25. 25 © FIDO Alliance 2022 Global Accessibility Laws Disability Rights Laws · Americans with Disabilities Act · European Accessibility Act · Accessible Canada Act · … Public Procurement Standards · Section 508 of the Rehabilitation Act · EN 301 549
  • 26. 26 © FIDO Alliance 2022 WCAG Web Content Accessibility Guidelines * Widely adopted / referenced * Adapted to cover various forms thanks to its technology-agnostic language
  • 27. 27 © FIDO Alliance 2022 Baking In Accessibility Maintain Ship Validate Develop Design Plan A11y User Research Gather User Feedback A11y Backlog Review A11y Audit Product Reqs Doc A11y Design Specs UX/UI Mocks A11y Design Systems PwD User Stories QA Testing A11y Framework & Components Research Validation User Studies Internal Testing A11y Expert Review A11y Readiness Review A11y QA Smoke Test A11y User Support A11y Bug Report
  • 28. 28 © FIDO Alliance 2022 WCAG 3.3.7 Accessible Authentication · New guideline proposed for WCAG 2.2 A cognitive function test (such as remembering a password or solving a puzzle) is not required for any step in an authentication process unless that step provides at least one of the following: • Alternative – another authentication method that does not rely on a cognitive function test • Mechanism – a mechanism is available to assist the user in completing the cognitive function test • Object Recognition – the cognitive function test is to recognize objects • Personal Content – the cognitive function test is to identify non-text content the user provided A task that requires the user to remember, manipulate, or transcribe information · Examples of sufficient techniques · Allow for password managers · Allow for copying/pasting passwords · Email link authentication · Use WebAuthn · Use OAuth · Use two techniques to provide 2FA
  • 29. Current Models of Accessible FIDO Authentication Accessible Deployment of WebAuthn and UAF
  • 30. 30 © FIDO Alliance 2022 WebAuthn – Responsibility Model & Accessible Deployment Users User Agents RP’s Apps incl. Auth Users choose user agents supporting authenticators they are able to use. User agent developers ensure compatibility between user agents and WebAuthn. RPs ensure applications are compatible with user agents that support WebAuthn. RPs create accessible UX. RPs conform to WCAG 3.3.7. When providing hardware, RPs enable users to choose authenticators accessible to them. If no option is accessible, provide alternative authentication means.
  • 31. 31 © FIDO Alliance 2022 UAF – Responsibility Model & Accessible Deployment RPs should adopt the following recommendations for UAF policy control: 1. Mobile apps should always allow phone-unlocking authentication as an option. 2. Mobile apps should allow silent authentication as much as is feasible. 3. Phone-unlocking authentication should be allowed as a fallback/substitute for less secure modalities. 4. When the mobile app requires one biometric authentication, the mobile app must provide two or more biometric options requiring different physiological characteristics. 5. When the mobile app requires more than one (N) biometric authentication modality, the mobile app must provide at least N+1 biometric options requiring different physiological characteristics.
  • 32. 32 © FIDO Alliance 2022 Principles of Deploying Accessible Authentications Principle #1: RPs should design and implement authentication user interfaces and training materials to meet WCAG (Web Content Accessibility Guidelines) Level AA. Conduct user testing with users with various types and degrees of disabilities. Rationale: RPs can make user interfaces before, during, and after the authentication process more accessible by meeting WCAG Level AA and by engaging users with disabilities in user testing.
  • 33. 33 © FIDO Alliance 2022 Principles of Deploying Accessible Authentications Principle #2: When implementing WebAuthn, RPs should not discriminate based on authentication modalities. Non-discriminating WebAuthn would automatically pass WCAG 3.3.7 Accessible Authentication. Rationale: As described in the WebAuthn Responsibility Model, the onus is on end users to choose user agents with authenticators they are able to use, and the onus is on user agent developers and WebAuthn working group to ensure compatibility between user agents and WebAuthn. An RP’s responsibility in implementing WebAuthn is to ensure WebAuthn does not discriminate based on authentication modalities.
  • 34. 34 © FIDO Alliance 2022 Principles of Deploying Accessible Authentications Principle #3: When implementing UAF, RPs should comply with the guidelines described in the UAF Responsibility Model. Rationale: RPs are able to choose which authentication modalities are provided via UAF and allow users to choose modalities. Given the extra flexibility, RPs should take some important factors into considerations, including the use of phone-unlocking authenticator as fallback, the use of silent authentication, and requiring one or more than one modalities of biometric authentication.
  • 35. 35 © FIDO Alliance 2022 FIDO UI Kit Accessible components · Accordion · Animations · Buttons · Checkbox · Form Fields · Iconography · Illustrations · Journeys
  • 37. 37 © FIDO Alliance 2022 · Start the conversation · Test accessibility by experts · Test accessibility with users with disabilities · Refer to the White Paper · Legal framework for accessible authentication · Accessible deployment of WebAuthn and UAF · Accessibility training · IAAP (International Association of Accessibility Professionals) · Section 508 Trusted Tester · W3C Accessibility Training Resources
  • 38. 38 © FIDO Alliance 2021 Thank You!