Multifactor Authentication types across 50 universities

When considering the different types of Multifactor Authentication (MFA) it is clear that many could be a challenge for students with a wide range of disabilities. However, when you add the use of assistive technologies and customisation or potential personalisation the barriers begin to come down. That is as long as the actual website or app hosting the required verification of a sign up or log in is accessible.

With these caveats in place it seemed that as long as students were provided with at least three or more choices it would be possible to navigate MFA. That thought led to a mini survey of around a third of the universities in UK to see what was on offer.

graph of MFA choices in 50 universities
Vertical axis has the MFA options and the horizontal axis is the number of universities offering that type of option

Several universities offer a password as their main login method and then additional security for certain more sensitive areas. 42 out of 50 universities offer apps, but only two apppear to provide 2 options for the type of app, such as Microsoft and Authy on a desktop, which can be very helpful for assistive technology users who do not have smart phones or find their desktop AT easier to use.  8 universities offer hardware tokens and 6 offer at least 5 options but 9 had no alternatives that could be easily found and 14 universities made searching for support difficult by not having easy to reach information pages.

Microsoft authentication app, a text message to a mobile phone or a call to either a landline or mobile, were the most common verification methods after a login email and password had been generated. 

So in summary…

  • many students have limited options if they do not want to or could not use the Microsoft Authentication app or do not have a smart phone.  
  • there are rarely more than two options if using an app is not possible and one includes the use of a landline, which may not always be possible in a college or university setting
  • it often it took more than ‘three clicks’ or selection choices to reach any supporting materials and these rarely mentioned the use of assistive technologies.  However, there was usually a contact form or email address available.

Multifactor Authentication – Cognitive overload?

smart phone face recognition, code, finger print and numeric password screens.

Recenty the FBI warned that cyber thieves are finding ways around multifactor authentication protections. We may not own crypto accounts, but universities across the UK have implemented forms of two or multi-factor authentication to protect our accounts and we are grappling with strategies to ensure accessible forms for verification are available. The W3C WCAG Cognitive and Learning Disabilities Task Force has published an Accessible Authentication (User Story) to illustrate the need for the cognitive function test mentioned in the previous blog. It also highlights how memory impairments and difficulties with executve function can make MFA a challenge as well as time constraints.

There was a Twitter stream in February 2021, that highlighted more reasons why some of the MFA choices offered may not be helpful to individuals with Autism and Attention Deficit Hyperacive Disorder (ADHD). Devon Price’s insight into the frustrating nature of these extra levels of security illustrates the cognitive overload that can occur when several tasks have to be completed with multiple devices or systems.

key fob

If you do not have an external code device, the choices tend to centre around the use of a personal mobile phone. Having checked the websites of 50 universities it appeared that 42 (84%) advised students to use an authenticator app – usually Microsoft, that also offers a Self Service Password Reset. Other options were the Authy, Google, Sophos or Duo apps. All the university systems still require the user to remember passwords with the extra verification and then encourage a back up option via SMS, a phone call and some mentioned a landline or email. Only 4 universities offered a choice of two authentication apps and just 7 mentioned the use of a fob or external device, although one said this would not to work with Virtual Personal Networks. Preference for Authy as an alternative was mentioned in a question about the Microsoft Authenticator, as this can be used on a desktop computer. At the time of writing Microsoft Authenticator instructions do not mention a desktop verification option to their MFA.

Some universities in the small study used the Microsoft instructions, but when searching for support it took well over 3 clicks, to find out about the authentication options offered by 14 out of the 50 universities (28%), 9 of these websites either had no information or required a log in. This meant that a new student may have no way of preparing for this aspect of registration, although all of the websites had good connections to their student support or IT services.

Only one university appeared to depend on a memorable word for verification and the use of authenticator apps usually meant that the code could be used without an internet connection or a connection to a mobile network provider. This does not mean that copying a code results in successful verification on all occasions.

Where concentration or attention is an issue, as may happen with ADHD, the problem of copying codes from one device to another can become worse as more attempts are made. Too many tries leads to lockout, desperation and yet another feeling of failure, let alone time wasting and other more severe consequences, if the actions are related to banking. Actions that involve recognition and copying qualify under the W3C WCAG cognitive function test as requiring an alternative method.

Using biometrics is often considered a good alternative, but it is not always easy to get facial recognition to work on phones if you are blind or have dexterity difficulties and some individuals really do not like sharing their facial image. The UK National Cyber Security Centre admits that fingers prints are not always recognised if people have been working in some industries or you are elderly and even a skin condition can cause problems. Also not all devices offer the chance of using finger recogntion.

In summary Making Content Usable for People with Cognitive and Learning Disabilities suggests four options:

  1. Web Authentication: An API for accessing Public Key Credentials [webauthn-2].
  2. Single Sign-on (SSO) that allow users to access many sites with a single login (federated login).
  3. Two step authentication with Bluetooth links (no copying).
  4. Quick Response Codes (QR Code).

The use of authentication apps, with a set up of 5 additional choices was offered by 6 of the 50 universities reviewed, so they provided more than the above options, plus the ability to use a helpline. When checking the helplines it became clear that there were often rather a lot of questions surrounding the Microsoft Authenticator, as evidenced by the University of Hertfordshire’s comprehensive set of answers. So It appears there is still much to do to make the process more inclusive.

Multifactor Authentication update WCAG 2.2

laptop with login and password

On January 13th, 2022, a W3C Editor’s draft of the Web Content Accessibility Guidelines (WCAG) 2.2 was published on GitHub. Among several updates and new items, it includes processes for making multifactor Authentication more accessible and easier to use. Systems for auto-filling are allowed, as well as copy and paste, so that one does not have always depend on remembering passwords. Email links and text messages are included for those happy with using other applications and devices.

This is welcome help for aspects of multifactor authentication that were described in a previous blog, even though the requirement is not at the hoped for top level. However, it has been set at Level AA, so hopefully this new Success Critera will still be offered by web services later this year. As was mentioned in August 2021, passing the check is based on overcoming what is called the cognitive function test

“A task that requires the user to remember, manipulate, or transcribe information. Examples include, but are not limited to:

  • memorization, such as remembering a username, password, set of characters, images, or patterns. The common identifiers name, e-mail, and phone number are not considered cognitive function tests as they are personal to the user and consistent across websites;
  • transcription, such as typing in characters;
  • use of correct spelling;
  • performance of calculations;
  • solving of puzzles. ” (WCAG 2.2)

It should be pointed out that this draft has yet to be approved, but WCAG have set June 2022 as the date for publication.

As an aside, there is no mention regarding the impact of biometrics (such as facial or finger print recognition) in the WCAG document, which can also be used to support access to web services, but are not available on all devices. These systems do not suit all users, and if passwords are not used as part of a login process these could present another type of barrier.

Time-based one-time passwords (TOTPs) can also cause problems when they have a very short period of use (30 seconds) and a person may fail to complete the action several times and then has to take a break. A January 2022 review by PC Mag UK highlighted the fact that Authenticator apps can offer better security, when compared to text messages (SMS). Some have desktop options that may also be more accessible.