Understanding Authentication Method Use on Mobile Devices by People with Vision Impairment
Daniella Briotto Faustino, Audrey Girouard · 2018 · Proceedings of the 20th International ACM SIGACCESS Conference on Computers and Accessibility (ASSETS 2018) · doi:10.1145/3234695.3236342
Summary
This Carleton University study presents the largest survey to date on how people with vision impairments use passwords and authentication methods on mobile devices. The researchers collected responses from 325 participants (225 blind, 100 low vision) across 12 countries, distributed through organizations like the Lighthouse for the Visually Impaired and Blind and the Canadian Council of the Blind. The survey, available in English and Portuguese, covered four areas: demographics, general password use, perceptions of existing authentication methods, and smartphone protection practices. The study was motivated by a gap in understanding: prior research showed that a majority of people with vision impairments did not use authentication on their phones because they found available methods inaccessible or inconvenient, yet increasingly these users rely on smartphones for sensitive activities like banking and email. The participant pool was diverse — ages ranged from 18 to 80 (median 45), most had been vision impaired for their entire adult lives, and 15.1% reported additional impairments (most commonly hearing loss). Screen readers were the most commonly used assistive technology (87.7%), followed by assistive apps (67.4%) and Braille displays (42.5%), with significant differences between blind and low vision groups in which technologies they relied on.
Key findings
The survey revealed that 96% of participants considered passwords important or very important, contradicting any assumption that visually impaired users are unconcerned about security. However, password practices reveal accessibility-driven vulnerabilities: the most common memorization strategy (33.5%) was using familiar names, numbers, and dates — creating easily guessable passwords. A quarter used a base password with slight variations across sites, and 14.5% stored all passwords in a file on the same device. Fingerprint authentication was rated both the most secure (by 57% of participants) and the most accessible method (by 62%), while PINs were considered least secure. In practice, 73% of smartphone users relied on fingerprints. Critically, 69.5% had concerns about entering passwords in public spaces — the primary fear was shoulder surfing (61% blind, 51% low vision), followed by aural eavesdropping (27% blind, 11% low vision), which is a unique vulnerability since screen readers announce password characters aloud. Blind participants were significantly more concerned about aural eavesdropping than low vision participants. The least accessible methods differed by group: blind users found patterns and iris scans least accessible (requiring visual interaction), while low vision users found alphanumeric passwords and PINs least accessible (requiring precise typing through screen magnifiers). A quarter of smartphone owners (24.7%) used no authentication at all, citing complexity, inconvenience, or not knowing how to set it up.
Relevance
This study provides essential data for anyone designing security features for mobile devices or web applications used by visually impaired people. The central tension it reveals — that screen readers create a unique "aural eavesdropping" attack vector by reading passwords aloud — is a problem that remains relevant today and has implications beyond mobile devices (web forms, ATMs, kiosk authentication). For practitioners, the key design insight is that truly accessible authentication should not require precise visual interaction (ruling out patterns and iris scans for blind users), precise keyboard input viewed through a magnifier (problematic for low vision users), or any audible feedback that reveals credentials. Fingerprint authentication meets these criteria well, explaining its overwhelming preference. The finding that a quarter of users lack any authentication due to accessibility barriers represents a significant security gap that could be addressed through better onboarding, training, and the development of authentication methods specifically designed for non-visual use, such as tactile or gesture-based alternatives.
Tags: blindness · low vision · mobile accessibility · authentication · security · privacy · passwords · biometrics · shoulder surfing