Cognitive Function vs. Accessible Authentication: Insights from Dyslexia Research
Jacques Ophoff, Graham Johnson, Karen Renaud · 2021 · Proceedings of the 18th International Web for All Conference (W4A) · doi:10.1145/3430263.3452427
Summary
This paper explores the accessibility challenges that password-based authentication poses to people with dyslexia, arguing that accessibility is a neglected third dimension alongside the well-studied security and usability considerations. The authors recruited 13 participants with dyslexia for in-depth online semi-structured interviews conducted during COVID-19 lockdowns. The study distinguishes between dysphonetic dyslexia (difficulty connecting sounds to symbols, leading to spelling mistakes) and dyseidetic dyslexia (difficulty recognizing whole words, struggling with spelling). Both types face significant challenges with passwords, which are by design nonwords: dysphonetic dyslexics struggle to break passwords into characters for re-entry, while dyseidetic dyslexics cannot rely on visual memory to memorize obfuscated strings. The paper also evaluates the draft WCAG 2.2 success criterion 3.3.7 (Accessible Authentication), which proposes that for any authentication step relying on a cognitive function test, at least one alternative that does not rely on cognitive function must be available. The authors evaluate alternative authentication mechanisms including graphical passwords, OTPs, smart cards, biometrics, and musical passwords against their suitability for people with dyslexia.
Key findings
Participants reported pervasive difficulties across the entire password lifecycle — creation, use, and management. Password complexity requirements were particularly problematic: special characters, mixed case, and minimum lengths created passwords that participants struggled to meet, remember, and re-enter. Confirming a password by typing it twice was frequently cited as extremely difficult. Participants described reversing letters, confusing similar characters ("a" vs "@"), and experiencing frustration that led to frequent account lockouts and forced password resets. PINs and numeric codes were similarly challenging — one participant described always needing her husband to verify numbers she entered for online banking. CAPTCHAs with distorted text were identified as particularly hostile, though image-based CAPTCHAs and audio alternatives were more manageable. Coping strategies included writing passwords down, saving PINs as fake phone contacts, and relying on automatic phone OTP entry. Participants showed interest in graphical passwords (recognizing images rather than recalling text), musical passwords (remembering tunes being easier than letter strings), and biometrics (fingerprint and facial recognition were praised for eliminating text entirely). However, biometrics raised privacy and security concerns for some participants. The evaluation of alternative mechanisms revealed no single "most appropriate" solution — different users preferred different approaches, reinforcing the need for multiple authentication options.
Relevance
This paper addresses a significant blind spot in both the security and accessibility communities. Authentication is a mandatory, daily interaction that every digital user must perform, yet its accessibility implications for the estimated 10-20% of people with some degree of dyslexia have been largely ignored. The research directly informed the development of WCAG 2.2 Success Criterion 3.3.7 (Accessible Authentication), making it highly relevant to web accessibility practitioners who must implement this criterion. The practical implications are clear: systems should offer at least one authentication method that does not rely on cognitive function tests (e.g., biometrics, password managers, magic links, passkeys); password complexity requirements should be reconsidered or alternatives provided; and CAPTCHAs with distorted text should always have non-text alternatives. The finding that difficulties extend beyond just remembering passwords to the entire lifecycle — including creation, confirmation, and management — suggests that even "remember me" features and password managers only partially address the problem. For organizations implementing WCAG 2.2, this paper provides the human context behind the accessible authentication requirement.
Tags: cognitive accessibility · dyslexia · authentication · security · passwords · WCAG · cognitive disability
Standards referenced: WCAG 2.1 · WCAG 2.2