Password Hell: Accessibility Challenges In Cyber Security

thank you so welcome everyone uh my name is Anna and I'm a cyber security student from Manchester Metropolitan University and today I'm going to talk about the accessibility challenges within cyber security but more specifically um password policies and authentication methods so starting off what is the actual issue that we're facing so in the IT world in general there is a massive lack of accessibility as we all know um and this is a huge problem as many people can't access things uh we all know that we all have accounts nowadays so everything needs a password um and this is especially um apparent in cyber security where password policies aren't as clear as they probably should be um

so why is the lack of accessibility actually an issue um as we can see the lack of accessibility does lead to lower employment rates in people who are disabled uh this is because they don't have uh the accessibility needs that they need in their workplace and they don't have the technologies that they need to actually access what they need to access so they end up just not having a job this impacts quite a large proportion of the UK um it's 24% of the population and this is only the people that have been diagnosed uh as we know the NHS does try its best but diagnosis are quite hard to get so that number is probably a lot higher than it actually

shows in the statistics and how does this relate to password policies well if they aren't accessible people aren't going to be able to access accounts and everything nowadays requires an account if people can't access accounts they can't access employment they can't access what they actually need to access and this is a massive problem so to demonstrate this problem I have made a password that by all standards is quite complex and quite secure in fact I have made this PowerPoint for a few months now and I still cannot remember this password um but it is a strong password uh on all the sites that we have that it's not been compromised it would take 93 trillion years to crack a

password and generally this is what most companies and employees would expect when we talk about what a strong password is now obviously this isn't great and there's many accessibility challenges to that comes with it so for starters the main accessibility challenges that we have is the limited capability of assisted Technologies whenever we start talking about um people who have disabilities one of the first things that people say is well what about assisted Technologies surely they're good enough they aren't they have their limited capabilities when it comes to for example uh reading the screen if your UI is not compatible with it it would just not be able to read it out meaning a lot of people miss the

crucial information that they need as well as that um a lot of people rely on text to speech uh if you're on a train you are not going to say your password out loud that means you can't do things like access your work account in a public train um you just can't access things in public in general unless you're willing to compromise your password which I'm sure not many of us are um another accessibility challenge is the actual lack of security knowledge that people would disabilities have um So within policies it's usually not very clear what people mean uh which leads to a lot of confusion in people who are disabled this [Music] um this lack of security knowledge also

impacts how uh secure some people can be if you don't have the knowledge you don't know what needs to change you don't know how secure you actually are and you become a um a target for attackers more so than someone who isn't disabled um this is due to a lack of of clear and accessible knowledge available um that I will go into a bit later on and then finally the biggest one is the fact that password policies and authentication methods are just complex um we might think that they're accessible but they actually lack a lot of accessibility so in terms of these methods this is not an exhaustive list there are many many methods many of

which are not accessible so the first one we have is password expiry a lot of companies will think that after 6 months your password has to expire otherwise it's not secure that is wrong please don't do that what ends up happening is people will just change a couple of uh characters and call it a day as Security Professionals we care more about security than the average person and I will tell you someone who is disabled does not care that much about their password in general um they will go to what is the easiest for them to type out what is most usable for them adding in policies that just make it harder for them to access things is actually

counterintuitive we then have MFA which is multiactor authentication and probably the most uh widely usable uh authentication method that there is now this although being one of the better accessible methods it's still not as accessible as it could be it is still hard to use there are extra steps involved you usually need a second device and biometric authentication um people who have mobility issues will really struggle with a biometrical authentication if you have V uh visual issues you will struggle to even like scan your face or stuff like that and a lot of um MFA requires that any cognitive issues you're going to see a pattern come up on your phone you're going to see a number

you're going to forget it immediately the thing's going to time out you're not going to be able to access and get into your account so that is a major issue with MFA and then we have knowledge based and although this one's kind of coming out of practice because we all know that it's not very secure anyway um it is still something that a lot of companies and employers will use um but again an average person does not care as much about passwords as we do uh especially someone who is disabled so they will probably forget um who what their first pet name is and the issue with knowledge-based authentication is that many times it is uh case sensitive

so if you put your first pet name with a capital letter and you completely for get you're not going to be able to get into your account it just caus a lot of frustration overall so that's been a bit dim and dark but what can we actually do about it um some methods are easier than others uh there's clear and accessible language and policym that's a given um if your policy is clear you are more you are able to reach more people with it more people are able to understand it um it's just better overall and it's also good for assisted Technologies because they can actually see what is on the screen avoiding expiry based policies

and moving more towards a compromise based policy now what do I mean by this if you're in your company you should already have a compromise based policy if you don't please get one um but if you know that a password has been compromised then that is when you reset it that is when you uh change things you shouldn't be changing it on a month-to-month basis cuz that's just causes frustration to everyone and the service desk is going to have way more calls than they need um so moving towards compromise based is more accessible than having expiry based then we have having a usable password like three random words joined together with a couple of characters on the end um

some people may not view this as secure however it is more usable um people are easily able to remember this password I can easily remember dog tree lemon one question mark I cannot remember whatever the hell I put in the other PowerPoint or in the other slide um it is just a lot harder to remember something that is complex and is a is more secure but you're going to have to change it anyways so it's better to have something that's long lasting and that you can remember easier then we have uh moving towards authentication with voice recognition now in a study that was conducted um which the name of it is as usual I needed the assistance of a scene person

if anyone wants to check it out it's a good study I recommend it um but a lot of people that had disabilities would rather it mve to a more voice recognition authentication that was a lot easier for them obviously it comes with its challenges um and it's not possible for everything to be voice authenticated but it is something to keep in mind then we have probably the most accessible one even though it is still not even 100% accessible and it's using password managers um if you don't know how it works it will create a password for you um and then it it will be complex it will take the computer 93 trillion years to crack and all you have to do is it

saves it and then whenever you access that website it will just automatically appear you don't need to worry about it why do I say it's still not 100% accessible is because if you have any mobility issues you do still have to click some things um but it is way more accessible than anything else that is currently on the market and then this one goes against everything that we've ever been taught but it is an option um and it is securing or storing passwords in a physically secure space um if for whatever reason you do need to have those really complex passwords you do need that password that I showed at the start have it written down um have it in

a place that is secure in a place that is accessible by people it's just it's going to save you time rather than having to reset it and change it every single time that you want to use us it is still not the most secure way but when we compromise um confidentiality in the CIA Triad uh which is a fundamental security principle for those who don't know um but if we compromise a bit of confidentiality we're going to get more accessibility and availability and you want people on your sites you want people using your products um it just it's better for everyone involved so in concl conclusion no policy or path authentication will ever be 100%

accessible uh maybe in the future we will have something but currently there is nothing that is 100% accessible so we just need to focus more on usability rather than anything that is too secure um as people always say A system that is secure um is most likely not able to be accessed and there's no point in having a secure system if you can't actually access that system um secondly speak to people if there's people in your team that you know have issues with uh these kinds of things then speak to them it's not going to be a one-sized fits all it's not going to work for everyone but at least speaking to them and finding out what the right

solution is for them will be better than doing absolutely nothing and then be mindful accessibility affects 24% of the population and again this is people that have been diagnosed this is not um everyone who suffers from it and is not diagnosed so that's a quarter of the population that you would be alienating if you don't make things successful so please do consider making things more accessible consider having those talks with people it massively helps it reduces frustration for people and overall they're just going to be happier to be there so thank you all for listening uh again my name is Anna um I am a seconde student currently it's uh studying cyber security and I am looking for rep

placement if anyone knows of any opportunities I'd be very happy to speak to them about it thank you to Inca my mentor who has helped me do this presentation um We've ran through it quite a few times and she has massively helped me get everything down and again if you want to connect with me on Linkin I would encourage it and if there's anything else you can email me on my email um does anyone have any questions

I think think we've got a question at the front there I saw a hand go up hello have you looked into combined authentication methods say a physical key with a uh password manager to improve accessibility for people with mobility issues so instead of having to type out their long uh complex hopefully master password for an authenticator um they just tap on a security key yeah so I I have looked into this when I was making this PowerPoint um the only issues with those are that they're they're not um as widely available as everything else um if that was more widely available then yes 100% um it should be used and it should become more widely available um the methods that I

just said were just the ones that are more like accessible for employers to implement especially larger companies if you can imagine you know if something like Microsoft will have like millions of employees if they have like a physical thing for each employee that is disabled it's going to be a lot more work on them and they should put in the work but it doesn't always happen so having something that's more like easily accessible by companies as well I think is better than you know having something that isn't but but it is unfortunate yeah thank you one more question um but it's going to be quick one I know thank you very much uh I'm talking in terms of a person who has

accessibility I sidewise okay so what about uh Biometrics I mean have you looked into that as well um so I did look into Biometrics um the the only issue with Biometrics again is that with with all the authentication methods they're not 100% accessible they are more accessible than something like knowledge based authentication um but it it's more harder for people that have like mobility issues um because if like if they have a Tremor in their hand and they have to do their fingerprint it's going to be really frustrating that can be really disaster yeah like my phone will not work with my fingerprint on a good day so um possibly moving towards a more passwordless approach is the way forward

um but again there's limited uh research out there on it so but but Biometrics is still something that is uh widely considered for people that are disabled it's just it depends on the person again it's not a one siiz fits all no of course of course maybe for question will be M you know in terms of uh like for example companies let's say not catering for uh people with ex disabilities specifically in terms of past food accessibility such do you think that it's either the not to be too harsh about it I the incompetence on not doing it or not really considering it or is it because of the case that they don't maybe understand

what a person with accessibility has or encounters while they're trying to access their accounts I do think it's a mix of a lot of things um I think that a lot of companies don't understand um how big the disability population is in the UK um and I think a part of it is also money uh it costs more to be accessible uh and a lot companies aren't willing to put the money towards it even though they should um but it is definitely a great question to ask but they should they don't and it's unfortunate but that is why I'm doing this talk so hopefully more people are aware of it and we can move towards a more accessible future

for everyone thank you thanks um so uh I'll be turning around the room in the next 10 minutes or so for the next talk so if you're planning on staying here please stay if you're planning on leaving please leave um but thank you very much thank you