Archive for the ‘About Project’ Category

Online Security & Privacy for People with Cognitive Disabilities: Challenges & Solutions


Description of the Technologies

Most user interfaces are designed to help users complete tasks. However, web security and privacy technologies intentionally introduce barriers to task completion. They require users to perceive more and to do more to complete tasks. Three examples of these technologies are passwords, CAPTCHA, and 2-Factor Authentication.

  • Passwords are words or character strings used for authentication and/or for identity confirmation.
  • CAPTCHA is a website widget, which prevents automated programs from submitting a web form intended for humans, by requiring humans to pass a test. Such tests:
    • present distorted text visually and/or aurally;
    • require users to enter that text into a field; and
    • require users to invoke a submit button.
  • 2-factor authentication requires a two-stage process to verify the identity of a user. The user is required to have two of three of the following factors:
    • knowledge, e.g., password or PIN;
    • possession, e.g., mobile device or credit card;
    • inherence, e.g., fingerprint or voice print (via biometric device).

Challenges for People with Cognitive Disabilities

Web security and privacy technologies often block people with cognitive and/or physical disabilities who may not be able to:

  • discern text they are required to enter and submit;
  • recall text or instructions they have seen or heard;
  • follow multi-step procedures.

The scope of the problem is vast because, for examples, people with disabilities:

  • are prevented from purchasing goods and registering for services on the millions of websites that employ web security and privacy technologies;
  • may circumvent web security and privacy technologies with insecure techniques/methods;
  • may become so frustrated working through web security and privacy technologies that they relinquish their efforts, and thereby are thwarted from purchasing goods and registering for services;
  • may be unable to become accustomed to a web security and privacy technology because there are multiple versions of it across websites;
  • may be afraid to trust a web site, thus causing them to cancel a transaction.
    • Note: This is of particular concern for efforts to personalize web sites so they conform to users’ accessibility preferences. (E.g., users may be asked whether they trust a web site in order to pass such preferences.) See:
    • IndieUI
    • Global Public Inclusive Infrastructure (GPII)

Effect of memory impairments

Many people with cognitive disabilities:

  • may have to look at or listen to text several times to copy or type it into a form field;
  • may not recall steps needed to complete a procedure if an authentication session expires;
  • may reuse passwords;
  • may use simple-to-remember passwords, which are easy to guess/determine;
  • may keep passwords insecurely, such as written on pieces of paper;
  • may not recall where they keep passwords (which may be found by people who should not have them).

Some people with cognitive disabilities may not:

  • be able to recall required text, such as a password or a PIN, or remember how to retrieve it.

Effect of impaired executive function

Many people with cognitive disabilities may not:

  • complete a multi-step procedure for submitting text, such as a password;
  • complete a timed procedure due to slowness in completing all steps;
  • complete a procedure even if provided multiple opportunities to do so;
  • enter characters in the correct order;
  • enter characters correctly on the first try (resulting in being locked out).

Some people with cognitive disabilities may not be able to:

  • retrieve required text, such as a password or a PIN;
  • determine the purpose of a web security and privacy technology sufficiently or at all.

Effect of attention-related limitations

People with cognitive disabilities may not focus due to:

  • frustration with time-limited procedures or presentations of digital security tokens;
  • irrelevant instructions, such as CAPTCHA‘s “stop spam” and “read books”;
  • presentation of multiple options, such as CAPTCHA‘s “Refresh”, “Listen”, and “Help”.

Effect of impaired language-related functions

Some people with cognitive disabilities:

  • may have comprehension problems exacerbated by text or instructions presented in a non-native language.

Effect of impaired literacy-related functions

Some people with cognitive disabilities:

  • may not comprehend the meaning of instructions related to web security and privacy technologies;
  • may, when presented with words by CAPTCHA, be at a disadvantage due to lack of word recognition or comprehension.

Effect of perception-processing limitations

Many people with cognitive disabilities may not:

  • read text at all because of the intentional distortion of it, a CAPTCHA technique;
  • comprehend text that can’t be enlarged without additional distortion;
  • understand text spoken in a computerized and distorted voice, a CAPTCHA technique;
  • recognize characters if they do not form words, or are shown in different fonts/styles.

Some people with cognitive disabilities may not:

  • understand the purpose of buttons such as CAPTCHA‘s “reset”, “listen”, and “help”;
  • recognize functional elements, such as CAPTCHA‘s buttons, are clickable;

Effect of reduced knowledge

Some people with cognitive disabilities may not:

  • recognize images, such as symbols or icons, of web security and privacy technologies;
  • comprehend the meaning of rich media designed to be instructive.

Proposed Solutions

W3C Recommended Guidelines and Techniques

  • Provide text alternatives that identify and describe the purpose of the non-text content.
  • Turn off or adjust time limits, including allowing continuation of activity without reauthentication.
  • Help users avoid and correct mistakes.
  • Save submitted data for reuse after a user authenticates.
  • Encode user data as hidden or encrypted in a re-authorization page.

Ease-of-Use Ideas

  • Allow alternative authentication factors, such as:
    • location (e.g., user’s home or place of employment);
    • presence of a trusted family member or friend, who is detected, for examples, by a wearable biometric device or by a mobile device;
    • could be implemented consistently so that the interface is the same across web sites.
  • Develop and use a consistent interface, such as common sets of vocabulary and iconography, across sites.
  • Offer textual-password alternatives, such as swipe patterns or click-based graphical passwords.
  • Provide security and privacy instructions and policies in plain language.
  • Provide helpful feedback during web-form submission, such as explanations of:
    • why an entered password is insufficient; and/or
    • how to create a password that is easy to remember but hard to guess/determine.
  • Set a high-security privacy option as the default, but ensure it is easy to use.
  • Use a password-keeper app that is accessed biometrically, such as via fingerprint or voice print.

Alternative Web Security and Privacy Technologies

  • Security tokens, some of which are hardware devices,can be used to make authentication easier. Security tokens are used instead of, or in addition to, other forms of authentication such as passwords. Security-token hardware devices:
    • include key fobs, rings, or small keypads;
    • can store and/or generate a digital signature, a PIN, or biometric data;
    • can transmit such data via a USB connector, RFID, Bluetooth wireless, or NFC.
  • Keygen, an element of HTML5,can be used to simplify re-authentication. After a user has completed authentication using keygen, the user will be automatically authenticated for subsequent uses of a web site or service. Thus, there will be no need for a user to re-enter authentication information.
    • Keygen establishes a private-key and a public-key pair.
    • The keygen tag designates a key-pair field in an authentication form.
    • Upon form submission:
    • a private key is encrypted and saved locally; and
    • a public key is signed with the private key, and is sent to the server.
    • In subsequent authentication sessions, the server will either automatically retrieve the private key, or prompt the user to select it.
    • See W3C HTML5 Recommendation 4.10.12 The keygen element.
  • Fast IDentity Online (FIDO), password-free standards for typical and two-factor authentication.
    • FIDO relies upon user authentication based upon a user’s device (e.g., phone, tablet, computer).
    • A user’s device registers the user, to a server, via a public key.
    • Upon a challenge from the server, the user’s device responds with a private key.
    • The device’s keys are unlocked by the user biometrically (e.g., fingerprint scanner) or by a button press, not by a password.
  • Spam-free accessible forms, WebAIM, Utah State University, March, 2007.

CAPTCHA Alternatives

  • CAPTCHA-less Security, Karl Groves, April, 2012.
  • Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web, World Wide Web Consortium, November, 2005.
  • Determine the time difference between when a web form is loaded and when it is submitted. If it is submitted quickly, which may be indicative of a spambot, discard the submission. Otherwise, keep it.
  • A web-form honeypot that is:
    • an input field
    • hidden using CSS
    • labeled with a field name atypical of forms
    • clearly identified with instructions, for AT users, and for others whom have disabled CSS, not to fill it in
    • checked to determine if something was entered
    • used to reject a submission if something was entered


Online Security & Privacy for People with Cognitive Disabilities, Part 1


I am trying to evaluate the barriers of online security and privacy to people with cognitive disabilities.lock labeled with WWW This work will help inform the effort of the W3C’s Cognitive and Learning Disabilities Accessibility Task Force to recommend standards on how to make online security and privacy more accessible.


I am struggling with how to go about this evaluation. It is a daunting task to come up with common barriers and solution recommendations across:

  • the many end-user security and privacy techniques, e.g.:
    • passwords;
    • two-factor authentication;
    • biometrics; and
    • encryption
  • the variety of platforms upon which the techniquesare implemented, e.g.:
    • operating systems;
    • devices;
    • web and mobile apps; and
    • messaging
  • the different ways the many techniques within the various platformshave been implemented by the major players, e.g.:
    • Apple;
    • Google;
    • Microsoft; and
    • Open Source


It is well known that people sacrifice security and privacy for the sake of convenience. Security and privacy techniques are too difficult to use, and thus are inconvenient. For people with cognitive disabilities, such “inconvenience” amounts to a significant barrier. (See my recent blog post about CAPTCHA for an illustration.)

It appears to me, from my research so far, that there is a lot of work on how to improve the security standards of information and communications technology (ICT) without much focus on the usability and accessibility of it. For example, I could not find even the terms “usability” and “accessibility” in the ICT Security Standards Roadmap of the International Telecommunication Union, an agency of the United Nations.


Determining how to make online security usable for everyone must include people with cognitive disabilities. Doing so will mean that the related user experience will be designed to be as simple as possible. The more the experience is easy to use, the more everyone will protect their assets and privacy.

A piece of good news is that the Electronic Frontier Foundation is researching how to measure the usability of implementing secure messaging as part of its “Designing a Prize for Usable Cryptography”. I expect that work would be enough to help develop usability and accessibility-evaluation standards for online security and privacy in general; and to inform the creation of related recommendations for people with cognitive disabilities.


I am working on a list of barriers, based upon functional limitations, which are common to end-user security techniques, and sublists unique to each technique. I am not a security and privacy expert. Thus the limitations I am considering are based solely upon my expertise in accessibility and cognitive disability, and what seems logical to me. (For an example, see my recent blog post about CAPTCHA.) I suppose that effort will have to suffice until a security expert, such as the Electronic Frontier Foundation, determines how to measure related usability.

Help Needed

I welcome comments with:

  • suggestions about how to evaluate the barriers of online security and privacy to people with cognitive disabilities; and
  • information about any effort to evaluate the usability and accessibility of online security and privacy techniques


  • See Stay Safe Online for online security-related instructions and information.
  • No endorsement is intended or implied of the organizations and their efforts mentioned in this blog post.

CAPTCHA, Cognitive Disabilities, v1 (W3C Task Force)


As a member of the W3C‘s Cognitive and Learning Disabilities Accessibility Task Force, I agreed to review web-security technologies. I chose to begin with CAPTCHA. My first draft is below. The format I am using is the one I intend to use for future reviews. All the text is my own.

I welcome your feedback, additions, and/or revisions.

Example: shows 2 italicized words with lines through them; field with label 'Type the two words:';  3 buttons; and text 'reCAPTCHA', 'stop spam', 'read books'.Definition

CAPTCHA is typically a website widget that prevents automated programs from submitting a web form intended for humans by requiring humans to pass a test. Such tests present distorted text visually and/or aurally; and require the form-submitter to enter that text into a field, and invoke a submit button. See


CAPTCHA often blocks people with physical and/or cognitive disabilities who cannot discern the text they are required to enter and submit. The scope of the problem is vast because, for example, people with disabilities are prevented from purchasing goods and registering for services on the (probably) millions of websites that use CAPTCHA.

People with Cognitive Disabilities May Not Be Able to:

  • read CAPTCHA text at all because of the intentional distortion of it
  • comprehend text that can’t be enlarged without additional distortion
  • have the advantage of comprehending the meaning of words or images
  • understand text spoken in a computerized and distorted voice
  • complete the multi-step procedure for submitting the CAPTCHA text
  • complete a timed CAPTCHA due to slowness in completing all steps
  • understand the purpose of buttons such as reset, listen, and help
  • recognize functional elements, such as buttons, are clickable
  • focus due to irrelevant instructions such as “stop spam” and “read books”
  • become accustomed to CAPTCHA because there are multiple versions of it



  • Neil Milliken suggested I add that people may not be able to complete CAPTCHAs correctly due to sequencing problems causing them to input the characters in incorrect order. I will do so in my next draft.
  • No endorsement of CAPTCHA or its alternatives is intended or implied.

Autism Gap Analysis (W3C Task Force)


Neil Milliken and I have written an autism gap analysis as part of the effort to create gap analyses by the W3C‘s Cognitive and Learning Disabilities Accessibility Task Force. Our intent is to identify the gap between where the state of accessibility for people with autism is now when using the web, and where we want it to be. The following is information about the autism gap analysis.

We included some personas with use cases that address key challenges. The personas and use cases are based upon aggregated results of interviews of people with autism-spectrum disorder (ASD), and upon anecdotal observations of their use of the web.

To our knowledge, there is no significant, empirical (user-based) testing on the use of the web by people with autism or other cognitive disabilities. In part because of that, we quoted results of directly-related research performed by WebAIM (N=8) in the section “Characteristics of content optimized for this group.”

We also quoted, from authoritative sources, much of the background information about autism. We did that, in large part, to help avoid adding to ASD-related controversies. The prime example is the reported increasing prevalence of ASD, and arguments that the increase is not actual, but due to the nature of the diagnoses.


  • I will soon conduct a literature review for user-testing-based research related to web accessibility and people with cognitive disabilities. If you know of any, please post a comment with a reference to it.
  • Neil Milliken was assisted by Jessie Grainger, an intern who helped write most of the use-case scenarios.
  • No endorsement of any of the information contained in the autism gap analysis is intended or implied.

Gap Analyses for Cognitive Web Accessibility (W3C Task Force)


The members of the W3C‘s Cognitive and Learning Disabilities Accessibility Task Force have been working since January to develop a set of gap analyses. A gap analysis, as we have defined it, identifies the gap between where the state of accessibility for people with cognitive disabilities is now when using the web, and where we want it to be.

The gap analyses are based upon common cognitive disabilities. The following list of the gap analyses includes their primary authors (as of July, 2014).

The task force has completed the first drafts. We are now working on integrating the information in the gap analyses into a single document. A large part of this work is to define cognitive web accessibility from a functional standpoint. We plan to combine information, such as challenges and techniques, that is common across the gap analyses, and retain information that is unique to a particular disability.

Note: The referenced gap analyses should not be quoted. They are works in progress. They do not necessarily represent consensus. They may have incorrect information; or information not supported by other task-force members, the WAI, or the W3C. They also may have some very-useful information. (This disclaimer paraphrases the one at the tops of the gap analyses.)

Proposed Infrastructure For Automatic-Accessibility Personalization


The WC3‘s Cognitive and Learning Disabilities Accessibility Task Force received a presentation about a project called the “Global Public Inclusive Infrastructure” (GPII), from Gregg Vanderheiden, on March 31, 2014. Quoted below is a project description.

“The purpose of the Global Public Inclusive Infrastructure (GPII) is to ensure that everyone who faces accessibility barriers due to disabilityliteracydigital literacy, or aging, regardless of economic resources, can access and use the Internet and all its information, communities, and services for education, employment, daily living, civic participation, health, and safety.

As our countries build out their broadband infrastructures to ensure that broadband reaches everyone, it is important that ‘everyone’ includes people with disability, literacy and aging related barriers to Internet use. We need to be sure that we don’t stop at just connecting people to the Internet – but that we also see to it that they can actually use it, and benefit from all that it has to offer.

The GPII would not create new access technologies or services, but would create the infrastructure for making their development, identification, delivery, and use easier, less expensive, and more effective.  Like building a road system does not provide transportation but greatly enhances the ability of car companies and others to do so — and provides an infrastructure that car companies themselves cannot do. The Internet is the infrastructure for general information and commerce. The GPII enhancements to the Internet would provide the infrastructure to enable the Internet to be truly inclusive for the first time.

GPII is a paradigm shift.  The GPII will, for the first time, introduce automatic personalization of user interfaces and user context adaptation based on user preferences.  Each information and communication technology (ICT) device will be able to instantly change to fit users as they encounter the device, rather than requiring users to figure out how to adapt, configure or install access features they need.  It also introduces a system of shared components and services to reduce cost, increase interoperability, and foster innovation.”

The “GPII is a project of Raising the Floor, a consortium of academic, industry, and non-governmental organizations and individuals.”

Retrieved from (Published June 30, 2010).

Note: No endorsement of the Global Public Inclusive Infrastructure and Raising the Floor is intended or implied.

New W3C Task Force for Cognitive Accessibility


A new task force has been formed by the World Wide Web Consortium (W3C) to develop accessibility guidelines for people with cognitive disabilities. It is led by Lisa Seeman, a long-time expert and advocate. Task force members are well-known experts from all over the world.

I am a member, an “Invited Expert”. My current, primary responsibility is to create and manage volunteer research groups of people with disabilities and others. I participate in the weekly conference calls of the task force, which so far have consisted of brainstorming sessions, presentations, and organization by Lisa of the task force’s work. Our first teleconference occurred on January 20th of this year.

The task force is known as the “Cognitive and Learning Disabilities Accessibility Task Force (Cognitive A11Y TF)” of the Protocols and Formats Working Group, and the Web Content Accessibility Guidelines Working Group.

I plan to publish, to this blog, the information I can share about the task force’s work.

Redesigning University Website for People with Learning Disabilities: Feedback


I am working on a project to make the website, of a university program for people with learning disabilities, more usable by prospective students. Small groups of faculty and students were shown the first mockup last week. Listed below is their feedback and brief descriptions of a few possible remediation efforts.

About Navigation

  • Feature the program prominently on the university site’s home page. Students could not find information about the program because a link to its home page is hidden within a drop-down menu.
  • Display links in navigation menus rather than place them in drop-down menus.
    • We plan to do so, perhaps indenting the links of subsection pages. (Unordered lists are good for that.)
  • Within the left-navigation menus of the program’s pages, display a link to the program’s home page. When students got lost within the website, they said they wanted to start over by returning to the program’s home page.
    • We will do so. We will also consider adding a button with an image shaped like a house, which students said they associate with a site’s home page.
  • Do not depend upon breadcrumb navigation to help visitors navigate the site. Students and faculty did not notice the breadcrumb navigation until prompted. Faculty indicated it was useful once they were shown its function.
  • Do not depend upon links scattered throughout the content. They were not immediately apparent to students when they were asked to find specific information.
  • Do not depend upon a search box to help visitors. When asked to find specific information, neither the students nor the faculty thought to use the site’s search box. Doing so would be confusing anyway, faculty pointed out, because search results are derived from the university’s entire site, not just from the program’s portion of it.
  • Do not position navigation menus on the right side of pages. Students and faculty had to be prompted to notice them.
    • This is unsurprising. Web usability studies based upon eye tracking have shown people look at pages in an F-shaped pattern. One consequence is that they pay no attention to the right side of pages.
  • Consider consolidating the number of links in the left menus. Only their first few links were read by the students.
  • Consider reducing the number of choices on each page. For example, the large number of site navigation links were simply overwhelming to students.
    • We may have to develop a template for the program’s section of the university site that presents significantly fewer navigation choices.
  • Link course descriptions to professors’ profiles. We had set up course descriptions to be found by drilling down by year, then by curriculum, then by topic. That did not make sense to students.

About Content

  • Use a larger default text size.
  • Add a lot more pictures, particularly contextually-relevant ones to enhance comprehension of textual content.
  • Closely associate images to their relevant textual content. Example: The list of faculty includes pictures of them, but it is unclear which photo is associated with which professor’s name and description.
  • Provide faculty-specific contact information within their profiles rather than in a central location.
  • Continue to use bulleted lists. Students found such content easier to read; faculty found it easier to scan.
  • Embed videos, not just link to them.
  • Use a web form, not an email link, for visitors to submit questions and site feedback. Students indicated a web form would be easier for them. A faculty member pointed out that such a link will not work at all unless a visitor’s computer is configured to open email software once that link is clicked.
  • Determine a way to make program contact info apparent so visitors will contact the program, not the university.
  • Include content for current students, not just prospective students.
    • Such content is now in a PDF. We will likely convert it to a web page so students do not need to have special software (Acrobat Reader) to view it.


Struggling to Reduce Dense Content Into Chunks Without Requiring Multiple Clicks


I am working on a project to make the website of a local university, which has a campus-based program for students with learning disabilities, more usable by them. The current site is designed for parents of prospective students and professionals who serve them. We anticipate our work will make the site easier to use and to understand for everyone.

Over the past few months, an adjunct faculty member has reduced the amount of content, simplified its language, and reorganized it. I created a functional site mockup to demonstrate that work. Yesterday, we showed it to a small group of students, then to a small group of faculty.


Our attempt to separate content into small chunks produced more pages. This exacerbated a problem experienced by the students, which was that navigating the many layers of the site is perplexing. Moreover, faculty indicated frustration with having to click many links to find desired information.


The current first-year curriculum page contains short descriptions for twenty courses. For the mockup, we moved each description to its own page, reducing the curriculum page to a list of course titles. This design requires extra clicks to see course descriptions. As well, the groups indicated the curriculum page is still too long.


We will next shorten the curriculum page by dividing it into sub-pages by topic. One- to two sentence descriptions of the courses under their titles may obviate the need for extra clicks to view more-detailed information. We will know if this has achieved any success only after testing with students.

Overall, I am describing an approach designed to resolve a larger dilemma. How can we provide information about the program in a simple way for students while also supplying a level of detail that may be required by professionals, parents, and even the students themselves? I suppose this is an adventure to find out.


Teaching People How To Enlarge Web Pages: Providing Feedback


I believe it is common knowledge that providing feedback while teaching is very important. In particular, positive reinforcement consequent to successful performance is essential for increasing the likelihood a skill will be acquired (that a behavior will occur again). As it is my intention to teach basic Web skills via the Web itself, tutorials must be designed so reinforcing feedback is provided automatically.

A common way of designing such interactivity into Web pages is to use JavaScript. I met last week with a developer who is an accessibility expert. For many years, Rich Caloggero has worked for The National Center for Accessible Media and for The MIT Adaptive Technology Information Center. We anticipate building interactive features that, for example, would indicate to people they indeed pressed the correct keys, in the appropriate sequence, to enlarge a Web page.

It is my hope to approximate on a simple level the sophisticated feedback features that Dr. Janet Twyman, who is guiding me in this project, has had built into software for teaching children to read. From the beginning, she has stressed to me the importance of detecting and reinforcing the pressing of the correct key sequence. I will post the details of this effort as the three of us develop them.

Notes: This post is the fourth in a series about Teaching Web Page (Text) Enlargement. Please post a comment with any suggestions.

%d bloggers like this: