Challenges with Electronic Identity Authentication: A Qualitative Study with Disabled Participants

1. Introduction

This research aims to develop a guideline framework that can be followed by organizations wanting to implement an Accessible Authentication (AA) system for their users, i.e., a login system for their application or service, which genuinely considers disabled users' supplementary needs when trying to identify themselves. This is generally not catered for by mainstream login systems, due to an omnipresent reluctance to implement basic Web Content Accessibility Guidelines (WCAG) [1], which in turn is partially due to a lack of empathic understanding for those without sufficient visual or motor skills to conduct the verification process as a non-disabled person might more easily accomplish. Not only is it important for reasonable adjustments for disabled users to be made under The Equality Act 2010 [2], but also a legal requirement for public sector bodies [3], so that this is given more consideration by organizations in the electronic media domain.

Following on from this section, we introduce the current state of research in this area with a Literature Review on Accessible Authentication (Chapter 2). Subsequent chapters include our Methods (Chapter 3) for the collection and analysis of data, including abstraction from participants (3.2), Interview Questions (3.3), Analysis Methodologies (3.4) and Data Science Modelling: Trends (3.5), where we philosophize over advanced analytical methods. The Results Chapter (4) disseminates results over multiple sections and sub-sections (too numerous to list here). This then summarizes in the Discussion Chapter (5) to appreciate the viability and future possibilities for the research and subsequently culminates with the Conclusion (Chapter 6), which aims to assess the potential impact of this paper.

2. Literature Review

An initial systematic literature review has been conducted with respect to the topic of authentication (logging in) for disabled users [4] that finds limitations in the usability of authentication systems and associated issues regarding security concerns [5] and develops a strong case for the need to improve usability in authentication systems, thus reinforcing this debate. While being mindful about inadequacies, the presented systematic literature review finds that most of the current research is fundamentally theoretical in nature, and those that do present empirical data are focused in specific areas such as biometrics or Special Education Needs and Disability (SEND) in educational testing environments [6], hence they are not necessarily substantiated when considering the empirical concepts of our overarching concerns regarding barriers to authentication due to a disability, which will be essential for an all-encompassing Framework to defend the hypothesis that a viable and acceptable solution for Accessible Authentication is currently nebulous.

A more relevant empirical paper about “Accessible Authentication methods for people with Diverse Cognitive Abilities” [7] was discovered subsequently to the literature review, which runs along proceeding on the same track as this paper; however, it is limited to cognitive abilities only and is arguably more quantitative in nature as opposed to a qualitative one such as this one. Additionally, it should be emphasized that other research still represents highly valuable contributions in an area of research which is commonly deficient in comprehensive information and despite admitting “shortfalls and gaps in the literature” [8], this paper does reinforce the hypothesis that there are compound issues concerning the accessibility of current authentication techniques.

For example, an empirical study conducted in 2017 discusses an alternative method of authentication for People Who Are Blind [9], which provides evidence to support an alternative technique to traditional authentication. This technique uses a system of long and short taps, as opposed to keyboard and audio entry. This is shown to provide security against eavesdroppers and shoulder surfers, with minimum detriment to ease of use. It is not known whether this has been implemented in any production environment, but it does introduce the idea that authentication can be made more accessible for blind people and illustrates how scientific research can highlight specific areas of accessibility that need to be met.

A further related study assesses an alternative image-based authentication framework for people with Upper Extremity Impairments (UEIs) [10]. This provides valuable evidence that alternative authentication techniques can provide benefits for disabled users (and potentially the wider community) through a system that is more intuitive. Although password strength calculations have proved to provide sufficient entropy against shoulder surfing and close-adversary attacks, there could be a scenario where an online brute force attack bot could scan the first phase stochastically to reduce the integrity of the system, so one might wonder if it would ever be adopted as a public release. Nonetheless, it remains a valid instigation and important flag bearer for the cause of accessibility rights in the realm of authentication. It is also interesting to note that several participants said the application was fun to use, which could potentially eliminate many pain points when it comes to bringing a system like this to market.

The above represents the limited selection of documents available that directly relate specifically to ‘Accessible Authentication’, despite an abundance of topics in either ‘Accessibility’ or ‘Authentication’, this conjunction is regrettably disparate as a recognized or unified concept. Collectively, this paper aims not only to provide the much-needed empirical evidence in a relevant context, but also to provide a derived framework comprising of suggestions for existing or new authentication systems, supplemented with a proposal for a prototype application to substantiate the viability and practicality of the framework. This framework also recommends a set of categories for AA classification or advises a set of target criteria for its production-level implementation.

3. Methods

3.1. Overview

This paper examines a dataset created from a series of interviews (n=15) with disabled users (with no restrictions on geographical region or gender) that were recorded in audio format and then transcribed and coded using the NVivo 20 [11] qualitative analysis tool. Although the option to generate coded information with Generative Artificial Intelligence (GenAI) learning algorithms from within NVivo 20 was available, it was found that much of the coded information that this produced was either completely irrelevant or incongruent to the research questions, so this option was dismissed as unfeasible as an assistant to coding for this study. Therefore, the original manual coding phrases were adhered to and as they consequently illicit far more tactile results for the study.

3.2. Participants

The participants that we interviewed were from various geographic locations across either the United Kingdom (UK), the United States of America (USA) or Europe (EUR); however, the research was open to candidates from all regions from around the world. Age ranges vary considerably from the youngest, at the 16–19-year-old range, through to all other age ranges (20-29, 30-39, 40-49) and on up to and including people in the 50+ age dimension. The ratio of female to male participants is exactly one third female to two thirds male, with no participants declaring their gender as anything other than these two variants, although alternative options were provided to state this, if desired.

Comparatively, the division of impairments between mental and physical disabilities (that are classified as relevant to the research), maintains an appropriate balance, including, but not limited to; Spinal Injury, Quadriplegia, Paraplegia, Facioscapulohumeral Muscular Dystrophy (FSHD), Cerebral Palsy (CP), Dyslexia, Dyspraxia, Attention Deficit Hyperactivity Disorder (ADHD), Autism Spectrum Disorder (ASD) and Schizophrenia.

Sourcing the participants occurred via various channels and comprises groups of personal acquaintances, social media influencers and academic students at institutes that can be defined as external to Bournemouth University (BU) in the United Kingdom (UK), who assessed and approved the ethical considerations for this research, in line with the regulatory board. In terms of experience with Assistive Technology (AT), usage ranges from grammar correction software to gaming AT (including custom switches and paddles and pen tablets), eye-tracking technology and wheelchair accessories. Further details of those that are relevant to the paper will be formally discussed in Section 3.

Table A1 depicts the formal demographics of all participants and is situated in Appendix A (A.1) and Figure 1 represents this graphically below.

3.3. Interview Questions

The questions for the interviews were in general designed to illicit qualitative results for this paper, however some questions yield results on a scale of 1-5 which could be considered quantitative and yield statistical results, however, interviewee would frequently provide extra context when answering these questions and therefore the majority of reporting for this paper will be qualitative in nature, which allows us to create verbal theorems around the proposal of a Framework for Accessible Authentication. At a later stage of this research, a new, refined quantitatively based questionnaire will be created for trial and will define scientific proof for the research in support of the grounded philosophical hypothesis produced from these first-stage interviews. Vice versa, the questionnaire may also illicit a few qualitative opinions to balance the equation, and stem into a full mixed-methods analysis by the maturation of this research.

As an example of questions asked in the interviews, the participant is asked whether they believe that security is an organization’s responsibility or their own. Furthermore, previous studies suggest there could be a tradeoff between ease of use and maximum security for logging in; however, literature suggests that people only want security that is “just okay” [12] and will naturally gravitate towards a system that is easier to use, for obvious reasons. Logically, the question then arises as to who should take responsibility for a less secure system? Should it be the organization or the user who decides how secure their own system access is? The results from the interviews will be discussed further in Section 3 and could have a profound impact on Framework design and implementation for a system that hands over more or less control to one side or another.

Other questions include preferences for usability over security, accessible technology currently used by participants and/or devices that they can envisage using or would prefer to use. Later, device preferences can be used to assess and suggest optimal modes for electronic identification (eID), which can not only be used for online authentication, but could also have other stemming, diversified applications as well.

One more difficult question includes loosely assessing the feelings experienced when logging in, whether this is an everyday experience for them or if they have any negative feelings about it. Whilst there is an element of psychological analysis, it is designed to be a gauge for assessing the overall need for action and consequently to reinforce the validity of developing an Accessible Authentication Framework.

Please note that a complete list of all the semi-structured questions asked in the interviews can be found in Table A3 within Appendix B (B.1) at the end of this paper.

3.4. Analysis Methodologies

As we will see in the following section, the question of whether to use inductive or deductive reasoning for our approach in this paradigm results in a contradiction about which process should be used, which results in the suggestion of a dichotomy, where both thought processes could be used. Some questions also present the challenge of “propositional attitudes” [13], which lead to considerations about emotional “hopes, fears or beliefs” about the predicament. The selected methodology will be focused on induction, and the justification will now be described in more detail.

A decision was made to harness Grounded Theory (GT) [14] methodologies instead of Thematic Analysis (TA) [15] to analyze the data, and the philosophical reasoning behind this is duly explained herewith. Initially, the methodological approach for analysis to be used in this research was intended to have used TA as its method on the basis that some existing themes had already been illuminated upon by both previously conducted research and the author’s own thoughts on this subject. However, on closer inspection, only very few of these themes contain substantial real-world data and consist mainly of early-stage hypotheses about whether usability and security are issues for disabled people who wish to authenticate online.

TA can be performed either inductively or deductively, and as a process of deductive reasoning (commensurate with mathematical induction), it would require that the theorem would need to always be true in all cases [16], and therefore this method can be discarded (for our purposes) due to the fact we are not trying to prove a tautology (i.e. a consistent truth), yet instead the objective is to provide solutions to various phenomena the occur in the field of AA. Consequently, an alternative inductive analysis method will be needed to provide evidence of credibility, as opposed to mathematically determined outcomes.

Decisively, even though inductive reasoning can also be used as conjecture for TA, it was felt that there was not a substantial amount of existing research in this topic area to warrant (or support) a full investigation based on the TA principles. Consequently, this is why various GT methodologies were investigated to find a suitable GT method to apply to the data set, which can consequently build theorems from analytical coding, or pattern-based reconciliation.

Expanding more on the qualitative coding method used with Nvivo 20 mentioned above, this particular paper relies on the proven advantages of Grounded Theory [17] methodology to build a focused theory about the results and after careful consideration, Constructivist Theory (CT) [18] was selected as the more specific mode for application of the GT as this enables induction of theorems bearing around the key research question of “how can authentication be made accessible?” and again, the dichotomy between induction and deduction resides here).

This is done via a logical process of primarily generating a set of corresponding (reinforcing) patterns in the ‘Initial Coding’ phase, then refining and optimizing them in the ‘Focusing Coding’ phase to highlight commonalities and relational aspects. Finally, a ‘Theoretical Coding’ phase involves developing a collection of theorems based on qualitative interpretations of the codes that can be extrapolated upon to yield a final set of logical proofs which, in an ideal world, could be empirically replicated from further studies. Indeed, a set of logical propositions can invoke our final proofs through using propositional or predicate logic, mathematical calculus or statistical analysis, again suggesting that this solution could at least be dichotomous when deciding between the ideal methods for hypothesis, analysis and theoretical construction.

We also must consider the fact that the ensuing analysis could be categorized as abductive reasoning, as it can be appreciated that there will be a temptation to succumb to interpretive guesswork, simply due to the subjective nature of the research. Nevertheless, the findings given in the results section coming up next are based on real-world empirically induced findings and thus can be widely accepted as scientific facts.

3.5. Data Science Modelling Trends

These methods of analysis can also be applicable in the field of Data Science, as it co-aligns with theoretical data modelling to identify opportunities and statistical prediction for “forecasting of short and long-term outcomes” [19], rather than trying to produce a single law, which could ultimately prove to be refutable. Increasingly, Generative AI (GenAI) is currently taking on a more predominant role in data science analysis and could also lend itself to the dynamic modelling of a heuristic framework (using experimental rules to test hypotheses) that creates new suggestions for developmental standards or categories for AA, provided that a collection of appropriate, pre-existing datasets are properly fed into an automaton that has been formulated with GenAI at its core.

4. Results

4.1. Overview

The results aim to answer the research question of “do improvements to accessibility unquestionably need to make authentication easier?” but cannot be a consistent proof due to the lack of conforming results. Therefore, this becomes an assumption for utilizing GT as a method of analysis, because from this we can derive theorems for solutions for when the phenomenon does occur.

4.1.1. Categorization

Coding was divided into six broad categories during initial Stage 1 coding, including Disability (type and relation to the issue), AT Devices (assistive technology), Usability versus Security (including the tradeoff between the two), Issues (common problems), Desirable Features (ideal solutions) and finally, Responsibility (onus for security). Granularity can be found in a series of characteristics within each category, which have been manifested by the coding process.

4.1.2. Disability

To begin with, we wanted to find out what percentage of users feel their disability hinders their ability to authenticate, and it was found that most users find that authentication is made more difficult due to their disability, as illustrated in Figure 2 below.

As we can see from the pie chart in Figure 2, more people had issues with authentication due to their disability as opposed to the problem being unrelated to it in their opinion. It is worth noting that even users who said they did not have an issue went on to discuss areas where the authentication procedure could improve and it is not indicative of the fact that they were not without any difficulties altogether.

There was an equal balance between being willing to reveal information to a third party as much as there was to guard their details. Finally, a small number were concerned about issues caused by the ongoing deterioration caused by their disability.

The range of disabilities, either specifically stated by the participants’ own personal disabilities or discussed in general conversation during the interview process (several of which were mentioned twice or more), is shown in Table 1 below, which also categorizes them into physical and cognitive realms:

4.2. Coding Results

Table A2 in Appendix A (A.2) records the number of times each topic was referenced in relation to the context of the issue. It is included for the purpose of validating this paper in any given future research opportunities or for use in statistical analyses of the data.

4.2.1. General Findings from Stage 1 - Initial Coding

A set of characteristic traits were seen to emerge from the participants’ answers. Reasoning for this will be deliberated accordingly in our Stage 3 Inductive Theorems, later in this section. The list of seven characteristics identified is as follows:

• Disability – There is a wide variety of disabilities that could be addressed by this Framework. Signs of accessibility issues begin to emerge in conversation;
• AT Devices – People tend to prefer authenticating themselves with only one device;
• Usability versus Security – while people prefer a usable platform, security is still a significant concern. Subsequently, this contradicts earlier theoretical research mentioned in the Introduction section that suggests usability is a larger problem than security; however, it could be accepted that this is more of a problem in the paradigm of an authentication machine’s functional capability, which contrasts with the user’s value-based and balanced perspective of the situation;
• Issues – time-based codes present the biggest challenge, specifically with physically reaching for a 2FA device;
• Desirable Features – simplified login is preferred with other features are recorded;
• Responsibility – the onus for privacy and security should lie with the service provider. A user’s own responsibility is also recognized.

4.2.2. Emerging Characteristics from Stage 2 - Focused Coding

During Stage 2 Focused Coding, which involved simplifying and reducing the number of coding topics, we note the following three barriers to analysis:

• It is difficult to reduce the findings without overlooking small but perhaps relevant information;
• Some topics show much greater support from users than others;
• Some topics reveal an almost 50/50 split in opinions, leading to the assumption that there is no right or wrong answer for these questions.

However, we also note the following emerging characteristics which will enable us to evolve theorems from the data:

• Most users identify problems logging in due to their disability;
• Although the research aims to make logging in easier for users, security is still important to them;
• There is considerable interest in a universal login system;
• There is interest in alternative devices to facilitate the log in process;
• Forgetting passwords is a common theme.

While there are barriers to be aware of, they do not defy the induction of Theorems, simply because several emerging characteristics clearly indicate clear pathways towards them. Hence, in the following stage we use qualitative analysis (GT) to inductively base the Theorems on logical foundations.

4.2.3. Formulation of empirical proofs from Stage 3 - Inductive Theorems

Following Stage 3 Theorem coding, the following Theorems were deduced from the data’s seven characteristics that evolved from Stage 1:

Proposition 1. 

Disability causes issues with authentication.

Remark 1. 

It was discovered that most users feel that they have some form of extraneous problem with authentication that they believe is caused by their disability.

There was a wide variety of disabilities exhibited by participants and there were many people who were reluctant to divulge information to a third party, in contrast with those who would be happy to pass it. There are also several references to problems caused because of having a disability, and this is undeniably important because it verifies the need for this paper to highlight that there is an existential problem with the level of accessibility in a core system that has repeated daily use in our lives.

Proof of Proposition 1. The number of users who stated their problems with authenticating is statistically higher than those who do not see it as related. The ratio (r) is calculated as:

$$\begin{gathered} \mathrm{d=\; 29,} \\ \mathrm{n=\; 11,} \\ RationofproblemsduetoDisability\left[r\right]={\displaystyle \frac{DuetoDisability\left[d\right]}{NotduetoDisability\left[n\right]}}={\displaystyle \frac{29}{11}}={\displaystyle \frac{2.63}{1}}\approx 2.5:1 \end{gathered}$$

whereby d is the number of references ‘due to disability’ and n is the number ‘not due to disability’.

∴ The ratio is approximately 2.5:1 (two and a half to one) for those who have a problem authenticating due to their disability compared to those who do not have a problem due to it, and as it outweighs the opposing theorem, we can therefore safely assert the following logical proposition:

Premise 1: Disability ⇒ Difficulty with authentication.

Premise 2: User has a disability

Conclusion: Users with a disability have difficulty with authentication □

This proposition is important, not least because it is indicative of a serious flaw with accessibility in current authentication systems.

Theorem 2. 

Most people would be happy with a general/AT device for authentication.

Remark 2. 

It was discovered that many users either have some form of preference for a hardware device that can be used in conjunction with authenticating or would like some general form of device that could help with this.

Specifically, any form of general device alternative to passwords is the most popular, followed by fingerprint scanners, facial recognition, a mobile phone and then Universal Serial Bus (USB) key. Traditional AT devices tended not to be desirable unless it is something that a physically disabled user already uses, such as a sip-puff device and while a mobile phone may not normally be considered as an AT device, it remains the default choice for most disabled users. Furthermore, individuals with Stroke and Alzheimer's condition can see the benefits of using an eID, such as a USB key or credit card-sized ID that can be hung around their neck. The ability to remember passwords can be a concern for them, which can also be the case for many other users as well.

Proof of Theorem 2. Statistically speaking the top answer for authenticating with a hardware device was ‘any kind of general device that worked well’. Although this is a broad definition, it identifies that users are generally keen on the idea of a hardware device to help them authenticate with.

Plenty of participants (n=8) expressed interest in using facial recognition, with a few expressing keen interest in fingerprint scanners (n=3) and one who has was excited by the idea of an eID card which can be kept on a lanyard (that can be kept around the neck). The top five answers (in terms of frequency of references) were:

• General Device;
• Fingerprints;
• Facial recognition;
• Mobile phone (or tablet);
• USB key.

Theorem 3.

Security is in fact more important than usability.

Remark 3.

Initial supposition from the literature regarding accessible authentication points the problem towards usability. In fact, it turns out that statistically speaking, users place a higher value on the security of an authenticator than its usability.

When comparing usability versus security, it initially appeared that ease of use matches security in importance to users, where users would generally like some kind of acceptable level for each, which is entirely understandable. Surprisingly, despite many admitting to making security sacrifices to make things easier, as the interviews progressed, increasing passion for security was identified. We also found discovered some debate over whether certain devices, such as fingerprint scanners for example, could be classified in some way as AT devices at the same time if they can be considered to aid the ability to login. It is not uncommon for everyday devices to be used in this way, such as X-Box controllers, and while it is also true that there remains a vast quantity of much unheard-of AT devices available for a large variety of very specific disabilities [20]. Therefore, this is a complex issue due to ensuring compatibility with AT for any application to be universally accessible.

Whilst observing at the superficial level of this research, it appears that the simple answer is to make authentication easier for users; however, in many situations, this undermines an essential need for security, which is paramount for any system which can allow access (by an actor) to a user’s personal and valuable information. Therefore, contrary to initial speculation, the security of any system suggested by a Framework must have a high level of security guarantees, especially so as this group of users should also be classified as vulnerable (to breaches), due to factors beyond their control.

Philosophically, it is acknowledged that application developers do have an ongoing battle against cyber-attacks, currently, where the stakes are becoming higher and even household names are becoming victims. Many people fear advances from AI attack bots, but we must take comfort in the developers community who tireless seek ways to counter these with their own AI advancements such as Deep Neural-Net based Middleware [21] which has its origins in early day neural nets with the invention of the perceptron by Rosenblatt in 1962 [22], something which modern AI moves aways from with today’s Natural Language Processing and drifting into multimodal AI which can “seemingly do it all” [23].

Lemma 3.

Initial supposition was that usability would be the main concern; however, users referred to their security concerns almost twice as much as they did to usability. The same is true when compared to their desire for a balanced system with double the references.

Proof of Theorem 3.

Using predicate logic on our original hypothesis taken from previous research noted in the literature review, we have our slightly naïve assumption:

P = (∀x) P(x) → P(u) ∧ P (¬s)

where our Predicate implies that for all users x, they want usability (u), and not security (¬s).

Whereas in fact we could generalize our predicate logic by using ‘there exists’ (∃) to establish a preference within a function (F) of all users ([x/τ]) that we interviewed in our research (n=15):

F (τ1, . . . , τn)[x/τ] → ((∀[x/τ]) (∃(u) ∨ ∃(¬s)) ∧ ((∀)[x/τ]) (∃(¬u) ∨ ∃(s))

Whereby for each instance of the participants they will have a (maybe even slight) preference for security or usability; and our statistics tell us that the preference is for security.

Note that the proof of Theorem 3 is a logical assumption based on three reference numbers to maintain balance and would not necessarily warrant a complex statistical analysis for this paper. Although a predicate could be made for it, it is difficult to distinguish from the users' responses the exact degree to which security is more important than usability, as it seems conceivable that both are important.

To this end, the proof will remain in part, as a Theorem, rather than a statement of fact. It illuminates the contradiction to the early hypothesis that usability is the most important factor in Accessible Authentication, but it is challenging to eliminate the importance of usability altogether as this can be a vital ingredient when it comes to accessibility under the perspective of how the Human Computer Interaction (HCI) is designed for use, especially when it takes into account any difficulties caused disabilities that a user might have, in line with Fitts’ law (developed in the 1950’s and 1960’s) whereby we can actually mathematically quantify processing time with the early psychological perception of what is described as “bits per second” [24].

An observation was made by a participant in one of the interviews that disabled people are technically more vulnerable to cyber-attacks, so it would be logical to provide increased security for them. As a reminder, the actual values for the number of references for each characteristic are shown in Table A.2 in Appendix A.

To conclude the analysis, we define these with Lemmas (sub-Theorems), as they are particularly subjective in nature and would not necessarily require defined proof for them to still be useful as weighted opinions (or suggestions) that can be added to the proposed Framework for Authentication Applications.

Lemma 4.

Users generally have a variety of issues that they find detrimental to the authentication process for them.

Initially during the interviews, a common verification issue that cropped up was with time-based codes, followed by 2FA and the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) systems.

On final addition of all issues, it is noted that the general issue over privacy concerns soon become the highest concern, which could be relationally linked to preferences for a secure system over usability. Frustration was the next important concern based on the only real emotional test question and it was identified that most disabled users have difficulties due to a lack of accessibility integrated into authentication procedures.

There were 12 spoken references where the user claimed to have few or no issues, and although this is encouraging, it does not equitably compare to the total of all other issues found to be experienced by all the users.

Lemma 5.

The most desirable feature is a universal and/or simplified login system.

A universal login system and simplified login system were the most desirable features, implying a demand for ease of use. Although it does contradict our earlier Theorem of a preference for security, it reinforces the fact that usability is still imperative to any accessible system, as was mentioned earlier with a focus on HCI. The option to remain logged in was the next most desirable. If this can be implemented without any detriment to security, this would be an ideal situation, both for the disabled community and organizations wishing to maintain a high degree of customer loyalty.

Lemma 6.

Most users felt that the privacy and security of the login system is an organization’s responsibility, not theirs.

Giving way to rationality, several participants agreed that it was both their own responsibility as well as the organizations, as accident or negligence could not always be reliably blamed on the third party. While it may remain justified for an organization to be held accountable in certain legal cases, through disclaimers or other legal loopholes, an organization can and will protect itself from a user’s own negligence. While some participants have openly acknowledged this, others place the onus solely on the organization, so it may highlight where certain psychological perceptions, expectations and boundaries lie.

4.2.4. Qualitative Feedback

Throughout the interviews several interesting points were made by the participants, including two who mentioned the idea of a prominent red button to log in with, much like the type you might find in a game show, thus illustrating a desire for simplicity when authenticating. This can be compared to AT devices that have a simple process of a paddle or a switch to trigger an event.

Participants shared several innovative ideas for login systems showing great creativity and imagination. One mentioned a picture-based system, which as mentioned there is already some research into. Another suggested a device connected to her wheelchair which prevents it going out-of-reach. One participant was also unaware that USB-based fingerprint keys were already available, as this would be ideal for them. This shows that there is still much scope for authentication and there is no need to adhere to anachronic views of how it should be.

5. Discussion

This research fully acknowledges that its origins derive from initial research conducted by Whittington and Dogan [25]; with the creation of a prototype application known as Authentibility (see Figure 3), which is designed to accept information about a user's disability in order to transmit that data to service providers so that they can better cater for their needs. A video explaining this prototype can be found in the Supplementary Material video link S1. The research now pivots to adapt to study the way that the user can log in to a service that is more accessible to them, although the original idea of passing disability data to a service is something to be debated in future research.

Initially, there are two methods of authentication with a service for the user (see Figure 4), either via the authentication app for verification and subsequently on to the service or by accessing the service, which then calls the authentication app for verification. The initial prototype application does not clearly define which of these two methods it intends to use to establish a connection with a service or organization. However, the currently accepted norm for this procedure is the latter of these two, due to reduced complexity [26], whereby the service polls the authenticator for eID confirmation. Development of the application may require further research into Development, Security and Operations (DevSecOps), along with User Interface (UI) design, both coupled with extra considerations for the disabled. Naturally, this is also a logical method for in-person eID utilization, in the event that the client is physically located at the service’s premises.

Given that the results show that many users have a serious concern for the security of their personal information, it is natural to consider that any authentication system should strive to achieve the maximum security possible. The initial idea that making it simpler to use for disabled people would be an idea solution but has the disadvantage of reducing security to a vulnerable user group. As well as using secure hashing algorithms, the bare-metal systems that an authenticator runs on will also have to be as impenetrable as possible too.

Suggested precautions for security might include software hosting at secure premises with good security such as Access Control Systems (ACS), physical identification (ID), Closed Circuit Television (CCTV) to prevent social engineering or physical access to sensitive hardware [28].

We may also consider defense systems that detect Internet of Things (IoT) attacks that manipulate device firmware, software and operating systems, such as those found on mobile phones, fingerprint scanners, servers and other AT hardware. These also include “Intrusion and Anomaly Detection Datasets” [29] such as X-IIoTID, CIC-IDS2017, CICIoT2023 and Edge-IIoTset. Many datasets are open-source and so freely available to use without cost, such as the CIC-IDS2017 dataset that is provided by the Canadian Institute for Cybersecurity [30].

More encouragingly, modern research also suggests that there are also new strategies that we can use to keep the balance between security and performance, without any unfair sacrifice to either side of the scales by using deep learning to adapt defensive strategies on the fly, whereby the system optimizes for maximum performance or security depending on the recognizable characteristics of any given access request [31]. Indeed, advanced ultra secure and high performing eID solutions may soon be a common reality with the advent of quantum computing thereby harnessing the ultra-fast potential of “quantum enabled data authentication” [32]; further pressing the boundaries of modern authentication systems that are now fast becoming more deeply interwoven into the general population’s daily lives.

Evidently, we will soon encounter many areas of further research that can be linked to this study of Accessible Authentication, both in terms of security in balanced conjunction with UI design/reliability/speed of operation, i.e. Quality of Service (QoS). It would be vital to include the opinions of disabled people to determine the applicability of the discussed theories.

Although a substantial body of research already exists in the field of authentication, little remains in the specific area of Accessible Authentication. Nevertheless, with careful assessment of real-world information, it is anticipated that we can substantiate enough empirically significant theoretical knowledge to establish a Framework for organizations and program developers to consider incorporating the outlined suggestions into new and existing applications. It is anticipated that once awareness of the Framework is expanded upon, for example, by informing influential corporate stakeholders, such as Microsoft, Google and Apple, of the potential benefits for its client base by way of being a more inclusive entity, the research can achieve its full potential impact.

This results of this analysis represent statistical significance not only in the qualitative field, but also in the quantitative one too. The quantity of scalar valued questions in the fifteen interviews (n=15) means that there is extensive feedback that can already have quantitative analysis methods applied to them. Further to this, we have proposed a further questionnaire as future work, which supports enhanced questions based on the outcomes of the research so far (which will require a combination of scalar and yes or no answers from the participants) to provide data which can thus have statistical methods such as Multivariate Analysis [33] applied to it. Furthermore, the empirical nature of this research grounds the work for future studies and propositions such as the proposed Framework for Accessible Authentication mentioned earlier.

To further support this research, the authors also intend to conduct further research by interviewing industry professionals in the areas of authentication development. This is to try to establish if support for disabled users is imperative for them to log in with a fair and equal basis to the rest of the population, indicating a pattern of atrophy that may already be pervasive in the level of accessibility in today’s authentication systems.

6. Conclusions

It is envisaged that the Framework or future applications devised from this paper could foreseeably include physical (on-person) Electronic ID (eID), either as part of a resident Trusted Executions Environment (TEE) for TouchID systems or alternative biometrics. This could be on a more amenable credit card sized (chip-on-device) ID card or USB memory sticks encrypted with Certificate Authority (CA) or Fast Identity Online 2 (FIDO2) based authenticators. These devices have the strength to utilize passwordless, single-factor authentication devices, which have been empirically proven to have advantages over traditional passwords or two-factor (2FA) authentication [34].

It is envisioned that this introductory empirical paper, situated within this area of specialization, will be successful in promoting Accessible Authentication for disabled users. According to the World Health Organization, “an estimated 1.3 billion people – about 16% of the global population currently experience significant disability” [35], and in our increasingly more connected digital world, stakeholders must make advances to secure more inclusive methods of Electronic Identity Authentication.

We can see from the results that security is important to disabled people, so making this a priority on any eID is a must to protect them fully. It was accepted that any general AT/hardware device would be acceptable as an eID, with preferences for fingerprints and face recognition coming out top, along with the humble mobile phone. Fears over signal-jacking for Radio Frequency (RF) fobs, were also expressed, so secure radio channels are needed. However, they can often be based on Remote Keyless Entry (RKE) designs [3], which can be replicated at relatively low cost, which raises security concerns. We should complement any on-board transmissions with Rivest-Shamir-Adleman public-key cryptosystem (RSA) security certificates that ensure the utmost security for users.

To conclude, by looking at our Theorems, we have discovered the existence of multiple issues within the domain of electronic identity authentication, manifesting themselves in various forms. Through the process of an empirical qualitative study, we consider that disabled users are consequently affected by these, due to a lack of accessibility inefficiencies. It is recommended that solutions should be implemented to improve the usability for the user group whilst maintaining optimal security.

Appendix A.1.

Demographic data for the study is depicted in Table A1 below:

Table A1. Demographic distribution for the study.

Participant	Age Range	Geographic Location	Gender
participant 1	40-49	Southern England, UK	Female
participant 2	30-39	Florida, USA	Male
participant 3	30-39	Mississippi, USA	Male
participant 4	30-39	Philadelphia, USA	Female
participant 5	40-49	Southern England, UK	Male
participant 6	16-19	Southern England, UK	Male
participant 7	50+	Southern England, UK	Female
participant 8	20-29	Midlands, UK	Male
participant 9	20-29	Southern England, UK	Male
participant 10	50+	Southern England, UK	Female
participant 11	50+	Southern England, UK	Male
participant 12	50+	Southern England, UK	Male
participant 13	50+	Southern England, UK	Male
participant 14	50+	Southern England, UK	Male
participant 15	20-29	France, EUR	Female

Table A1. Demographic distribution for the study.

Participant	Age Range	Geographic Location	Gender
participant 1	40-49	Southern England, UK	Female
participant 2	30-39	Florida, USA	Male
participant 3	30-39	Mississippi, USA	Male
participant 4	30-39	Philadelphia, USA	Female
participant 5	40-49	Southern England, UK	Male
participant 6	16-19	Southern England, UK	Male
participant 7	50+	Southern England, UK	Female
participant 8	20-29	Midlands, UK	Male
participant 9	20-29	Southern England, UK	Male
participant 10	50+	Southern England, UK	Female
participant 11	50+	Southern England, UK	Male
participant 12	50+	Southern England, UK	Male
participant 13	50+	Southern England, UK	Male
participant 14	50+	Southern England, UK	Male
participant 15	20-29	France, EUR	Female

Appendix A.2.

Stage 1 (Initial Coding) data for the study is depicted in Table A2 below:

Table A2. Number of references discovered for each focal topic.

Topic (number of references)	Sub-topic	Description	References
AT devices (132)	General Device	Other or alternative devices	40
	Fingerprints	Preference for fingerprint scanning	17
	Facial recognition	Desirable for login	15
	Mobile phone (or tablet)	User’ personal smartphone	14
	USB key	A security key that store certificates	11
	Voice recognition	User would like to see voice recognition	7
	Fob	An RF (Radio Frequency) device	6
	Text to speech	Text to speech conversion to aid login	6
	Speech to text	Closed captioning or text prompts	4
	Font change	Adaptations to font style	4
	Color changes	Adaptations to font color	4
	Eye tracking	Eye tracking device	3
	Sip-Puff Device	A device controlled with the users’ mouth	1
Desirable features (89)	Universal login	Would want a universal system	15
	Simplified login	Not too many obstacles or options	15
	Remain logged in	Be logged in when they get back	11
	Something you know	2FA (Two Factor Authentication)	8
	Focused options	Options focused on the disability	7
	Happy with just a password	Would like to see just a password system only	6
	Passcode recording	System records time-based code for you	5
	Easier Recovery	Easier options to recover data	5
	Faster login	Quickest possible login preferred	4
	Delete information	Auto-remove old passcodes	4
	Speak to a person	Would prefer to speak to real person about login issues	3
	Show password	Option to show password	2
	Use of AI	Use of AI once info passed to organization	2
	Picture based authentication	Selecting pictures to login	2
Disability (131)	Nature of disability	Name of Disability in question	32
	Due to disability	User feels issue is due to disability	29
	Pass information	Happy to pass information to third parties	22
	Reluctant to divulge	Reluctance to divulge disability	20
	Not because of disability	User feels issue is not due to disability	11
	Deterioration	Concerns about a deteriorating or degenerative disability	5
Issues1 (180, 127 G, 41 V, 12 L)	Privacy concerns G	Concerns about information or permissions	27
	Frustrating G	Feelings of frustration due to authentication	23
	Identification G	Issues with being identifiable	17
	Forgotten password G	Unable to recall password	11
	Locked out G	No way to verify own account	11
	Distance from device G	Being far away/having to reach a 2FA device.	11
	Repeated attempts needed G	Repeated attempts needed to login or tired from repeatedly having to do it	9
	Time consuming G	Logging in is time consuming	7
	Password mismatching G	Inability to match passwords	3
	Distractions G	Environmental disabilities	3
	Number of accounts G	Extra complexity caused by quantity of different logins needed	3
	Character set G	Issues with character set	2
	Time based codes V	Two step authentication issues	17
	2FA V	Two step authentication issues	9
	CAPTCHA issues V	Issues with Google (or other) image recognition test - characterized by use of traffic lights and stairs	6
	Authenticator issues V	Authenticator issues or delays	4
	Code retrieval delays V	Issues with biometric	3
	Fingerprints V	Time delays in emails or 2FA codes coming through	1
	Low difficulty L	Minor or no issues with authentication	12
Responsibility (27)	Companies’ responsibility	The company is more responsible	14
	Both responsible	Users and companies are equally responsible	10
	Users’ responsibility	The user is more responsible	3
Usability v Security (85)	Security important	User feels security is important	34
	Usability (and speed of access) important	User feels usability is important	20
	Balanced System	Users need a balance between security and usability	18
	Security Sacrifices	Willing to sacrifice security to make it easier to login	13

Table A2. Number of references discovered for each focal topic.

Topic (number of references)	Sub-topic	Description	References
AT devices (132)	General Device	Other or alternative devices	40
	Fingerprints	Preference for fingerprint scanning	17
	Facial recognition	Desirable for login	15
	Mobile phone (or tablet)	User’ personal smartphone	14
	USB key	A security key that store certificates	11
	Voice recognition	User would like to see voice recognition	7
	Fob	An RF (Radio Frequency) device	6
	Text to speech	Text to speech conversion to aid login	6
	Speech to text	Closed captioning or text prompts	4
	Font change	Adaptations to font style	4
	Color changes	Adaptations to font color	4
	Eye tracking	Eye tracking device	3
	Sip-Puff Device	A device controlled with the users’ mouth	1
Desirable features (89)	Universal login	Would want a universal system	15
	Simplified login	Not too many obstacles or options	15
	Remain logged in	Be logged in when they get back	11
	Something you know	2FA (Two Factor Authentication)	8
	Focused options	Options focused on the disability	7
	Happy with just a password	Would like to see just a password system only	6
	Passcode recording	System records time-based code for you	5
	Easier Recovery	Easier options to recover data	5
	Faster login	Quickest possible login preferred	4
	Delete information	Auto-remove old passcodes	4
	Speak to a person	Would prefer to speak to real person about login issues	3
	Show password	Option to show password	2
	Use of AI	Use of AI once info passed to organization	2
	Picture based authentication	Selecting pictures to login	2
Disability (131)	Nature of disability	Name of Disability in question	32
	Due to disability	User feels issue is due to disability	29
	Pass information	Happy to pass information to third parties	22
	Reluctant to divulge	Reluctance to divulge disability	20
	Not because of disability	User feels issue is not due to disability	11
	Deterioration	Concerns about a deteriorating or degenerative disability	5
Issues1 (180, 127 G, 41 V, 12 L)	Privacy concerns G	Concerns about information or permissions	27
	Frustrating G	Feelings of frustration due to authentication	23
	Identification G	Issues with being identifiable	17
	Forgotten password G	Unable to recall password	11
	Locked out G	No way to verify own account	11
	Distance from device G	Being far away/having to reach a 2FA device.	11
	Repeated attempts needed G	Repeated attempts needed to login or tired from repeatedly having to do it	9
	Time consuming G	Logging in is time consuming	7
	Password mismatching G	Inability to match passwords	3
	Distractions G	Environmental disabilities	3
	Number of accounts G	Extra complexity caused by quantity of different logins needed	3
	Character set G	Issues with character set	2
	Time based codes V	Two step authentication issues	17
	2FA V	Two step authentication issues	9
	CAPTCHA issues V	Issues with Google (or other) image recognition test - characterized by use of traffic lights and stairs	6
	Authenticator issues V	Authenticator issues or delays	4
	Code retrieval delays V	Issues with biometric	3
	Fingerprints V	Time delays in emails or 2FA codes coming through	1
	Low difficulty L	Minor or no issues with authentication	12
Responsibility (27)	Companies’ responsibility	The company is more responsible	14
	Both responsible	Users and companies are equally responsible	10
	Users’ responsibility	The user is more responsible	3
Usability v Security (85)	Security important	User feels security is important	34
	Usability (and speed of access) important	User feels usability is important	20
	Balanced System	Users need a balance between security and usability	18
	Security Sacrifices	Willing to sacrifice security to make it easier to login	13

Appendix B.1.

The interview questions are listed shown in Table A3.

Table A3. Questions, their scope, reasoning and categories2.

Index	Question	Format	Relevance/Reasoning	Category
01	Name	Text	Indexing/Storage	DE1
02	Age Range *	16-19 20-29 30-39 40-49 50+	Age verification, categorisation	DE2
03	Gender	Woman Man Transgender Non-binary/non-conforming Prefer to define myself as … Prefer not to say	Demographic	DE3
04	Geographic Location	Text	Classification / Diversity	DE4
05	Disability *	Text	Classification / Relevance / Application options	DR1
06	Do you find authentication (i.e. logging into websites or applications) difficult because of your disability?	Yes / No / Maybe	Perception of an issue	DR2/U2
07	In what ways (if any) does your disability make authentication hard for you to do? What are the main difficulties that you face when you log in to systems that do not take your disability into account?	Text	Context on current issues. Difficulty related to disability.	U3/DR3
08	How important is it for you to get logged in quickly?	Scalar value 1-5 Not very important Not important Not fussed Important Very important	Need for speed / ease of use.	U4
09	How highly do you rate the importance of security?	Scalar value 1-5 Not very important Not important Not fussed Important Very important	Need for security.	S1
10	How often do you sacrifice security to make logging in easier? E.g. easy passwords, reuse passwords, no 2-Factor Authentication (2FA), etc.	Scalar value 1-5 Not very often Not often Occasionally Often Very often	Willingness to sacrifice security.	DR4/S2
11	Do you sacrifice security because it’s too difficult to authenticate with your disability? Is there anything that could make this easier?	Text	Does lack of usability bar security?	DR5/S3/U5
12	If you had to choose, would you prefer more security or an easier or faster login?	Scalar value 1-5 Much easier Easier Balanced Secure More Secure	Preferences.	S4/U6
13	Would you like to have one system that you could use to log into most of your websites and applications?	Yes / No / Maybe	Is it wanted? Single sign on (SSO) needed?	U7
14	When you log in to a site or service, would you like to have details of your disability passed across so that they can automatically adapt their user experience for you?	Yes / No / Maybe	Need for passing data parameters to third party.	DR6
15	Would you like to have the options to choose which elements of your disability are revealed to each third party that you log into?	Yes / No / Maybe	Level of disclosure to third party.	DR7/P1
16	How do you feel about trusting a company with information about your disability and what benefits or negative side effects do you think it could have?	Text	Trust, privacy and confidence.	DR8/P2
17	Would you like to see a login system that could work with a variety of inputs including paddles, sip/puff, audio / text-to-speech devices, optical / head movement or other assistive technology devices?	Yes / No / Maybe	Application hardware interfacing.	U8
18	In relation to the above question, which alternative or assistive technologies would you like to be able to do this with?	Text	Classify hardware options.	U9
19	Would you like to or currently use assistive technology (AT) such as a paddle or switch to authenticate with? Please specify which AT device you would use.	Text	Use of AT for verification/ 2FA.	U10/DR9
20	Would you say that that you are currently happy with the way you have to login to sites currently?	Text	Overall satisfaction with current technology.	E1
21	Do you find it frustrating or have any reservations when logging into systems (e.g. Loss of data, privacy, access denial, difficulty logging in)?	Text	Negative Emotional states.	P3
22	What strengths do you think a good login system should have, and how would you feel if you could use a system like this?	Text	Positive Emotional states.	E2
23	Do you sometimes think that a company should automatically know who you are, or do you welcome the fact that there is a layer of security always protecting your data? Do you think authentication systems need to be more intelligent?	Text	Security levels, individual recognition, AI detection.	P4/S5
24	Do you feel that security is an organization’s responsibility, that of the user or a bit of both?	Text	Placement of responsibilities	S6/P5
25	Would you consider using an on-person device for verification and if so, which would you prefer? E.g. Key fob, USB key, Bluetooth switch, biometric device or maybe just a mobile phone	Text	Would they be prepared to carry a device with them for verification?	U11
26	Would you like the opportunity to be included in any future research questions in relation to this PhD?	Yes / No Please fill out the separate contact questionnaire if ‘Yes’	Opportunity to participate in further testing systems, reviews or general questionnaires.	DE5
27	Any further comments	Text	Qualitative / vocalization of ideas.	All

Table A3. Questions, their scope, reasoning and categories2.

Index	Question	Format	Relevance/Reasoning	Category
01	Name	Text	Indexing/Storage	DE1
02	Age Range *	16-19 20-29 30-39 40-49 50+	Age verification, categorisation	DE2
03	Gender	Woman Man Transgender Non-binary/non-conforming Prefer to define myself as … Prefer not to say	Demographic	DE3
04	Geographic Location	Text	Classification / Diversity	DE4
05	Disability *	Text	Classification / Relevance / Application options	DR1
06	Do you find authentication (i.e. logging into websites or applications) difficult because of your disability?	Yes / No / Maybe	Perception of an issue	DR2/U2
07	In what ways (if any) does your disability make authentication hard for you to do? What are the main difficulties that you face when you log in to systems that do not take your disability into account?	Text	Context on current issues. Difficulty related to disability.	U3/DR3
08	How important is it for you to get logged in quickly?	Scalar value 1-5 Not very important Not important Not fussed Important Very important	Need for speed / ease of use.	U4
09	How highly do you rate the importance of security?	Scalar value 1-5 Not very important Not important Not fussed Important Very important	Need for security.	S1
10	How often do you sacrifice security to make logging in easier? E.g. easy passwords, reuse passwords, no 2-Factor Authentication (2FA), etc.	Scalar value 1-5 Not very often Not often Occasionally Often Very often	Willingness to sacrifice security.	DR4/S2
11	Do you sacrifice security because it’s too difficult to authenticate with your disability? Is there anything that could make this easier?	Text	Does lack of usability bar security?	DR5/S3/U5
12	If you had to choose, would you prefer more security or an easier or faster login?	Scalar value 1-5 Much easier Easier Balanced Secure More Secure	Preferences.	S4/U6
13	Would you like to have one system that you could use to log into most of your websites and applications?	Yes / No / Maybe	Is it wanted? Single sign on (SSO) needed?	U7
14	When you log in to a site or service, would you like to have details of your disability passed across so that they can automatically adapt their user experience for you?	Yes / No / Maybe	Need for passing data parameters to third party.	DR6
15	Would you like to have the options to choose which elements of your disability are revealed to each third party that you log into?	Yes / No / Maybe	Level of disclosure to third party.	DR7/P1
16	How do you feel about trusting a company with information about your disability and what benefits or negative side effects do you think it could have?	Text	Trust, privacy and confidence.	DR8/P2
17	Would you like to see a login system that could work with a variety of inputs including paddles, sip/puff, audio / text-to-speech devices, optical / head movement or other assistive technology devices?	Yes / No / Maybe	Application hardware interfacing.	U8
18	In relation to the above question, which alternative or assistive technologies would you like to be able to do this with?	Text	Classify hardware options.	U9
19	Would you like to or currently use assistive technology (AT) such as a paddle or switch to authenticate with? Please specify which AT device you would use.	Text	Use of AT for verification/ 2FA.	U10/DR9
20	Would you say that that you are currently happy with the way you have to login to sites currently?	Text	Overall satisfaction with current technology.	E1
21	Do you find it frustrating or have any reservations when logging into systems (e.g. Loss of data, privacy, access denial, difficulty logging in)?	Text	Negative Emotional states.	P3
22	What strengths do you think a good login system should have, and how would you feel if you could use a system like this?	Text	Positive Emotional states.	E2
23	Do you sometimes think that a company should automatically know who you are, or do you welcome the fact that there is a layer of security always protecting your data? Do you think authentication systems need to be more intelligent?	Text	Security levels, individual recognition, AI detection.	P4/S5
24	Do you feel that security is an organization’s responsibility, that of the user or a bit of both?	Text	Placement of responsibilities	S6/P5
25	Would you consider using an on-person device for verification and if so, which would you prefer? E.g. Key fob, USB key, Bluetooth switch, biometric device or maybe just a mobile phone	Text	Would they be prepared to carry a device with them for verification?	U11
26	Would you like the opportunity to be included in any future research questions in relation to this PhD?	Yes / No Please fill out the separate contact questionnaire if ‘Yes’	Opportunity to participate in further testing systems, reviews or general questionnaires.	DE5
27	Any further comments	Text	Qualitative / vocalization of ideas.	All