If you’re collecting personally identifiable information from your users, you have a responsibility to limit potential risks.
Generally, that means establishing policies and controls that prevent unauthorized access. The problem: When you limit unauthorized access, you risk making your website less accessible for legitimate users.
That’s true regardless of the complexity of your controls. For example, if you add a password field, you’ll make your website less usable for people who have trouble remembering passwords. If you require two-factor authentication, your users will need to spend more time navigating the process before taking the next step.
In most cases, the added security is worth the potential tradeoff. However, you want to avoid major accessibility barriers wherever possible — especially barriers that might completely prevent people with disabilities from engaging with your content.
Many website security controls have an outsized impact on users with disabilities
Before collecting information from users, you’ll need to engage in two separate but related processes: authentication, which verifies the identity of the user; and authorization, which determines the permissions of the user.Accessibility issues usually occur when authentication processes are not designed for users with different types of abilities. For example:
- A website uses a CAPTCHA field to determine whether the user is human. Traditional CAPTCHAs aren’t readable with screen readers (software that converts text to audio or braille), so they may lock out users with vision disabilities.
- A website requires users to remember a password. For security, the password field doesn’t allow copy/paste functionality, which prevents people with memory disabilities from using password managers and similar technologies.
- A website’s login process must be completed within a specific timeframe. Users with mobility disabilities may not be able to finish the process before the timeout occurs.
None of these authentication issues will actually make your website more secure. Visual CAPTCHAs are frustrating for all users, and they’re not particularly effective for eliminating bot traffic. Disabling copy/paste functionality prevents an extremely small number of potential attacks. Time limits can be important, but there’s no reason that you can’t warn the user when a timeout is approaching.
Ultimately, your website’s security controls are there for the user, so if you’re creating barriers for users, that’s a problem. Sacrificing accessibility won’t necessarily improve security; in fact, cybersecurity requires accessibility to be effective.
Related: How Accessibility in the Web Development Process Saves Time
Avoid common mistakes when implementing security features
All of the above issues are addressed within the Web Content Accessibility Guidelines (WCAG), the international standards for digital accessibility. Unfortunately, developers often ignore WCAG when planning their security controls — and if you’ve already built a login process that ignores accessibility, implementing accessibility after-the-fact can be expensive and impractical.
Here are some basic tips for building a secure website that works for people with different types of abilities:
- Pay close attention to your password fields. Use proper markup, which allows password managers to fill in passwords automatically (and don’t block copy-and-paste functionality). Read: How To Make Your Website's Authentication Process Accessible.
- Don’t use visual CAPTCHAs. The rapid rise of artificial intelligence has made human authentication much more important, but visual CAPTCHAs aren’t particularly effective. Read: How To Make CAPTCHA Accessible To Everyone.
- Don’t use time limits unless you have a good reason. Per WCAG, websites that use time limits must inform users of those limits — and provide a way to pause, extend, or turn off the time limit. Read: Web Accessibility Tips: Give People Enough Time.
- Make sure your login process is accessible for keyboard users. Test your website with a keyboard alone to make sure it’s fully navigable and operable. Read: Give Yourself an Accessibility Test: Don't Use a Mouse.
Remember, accessibility isn’t optional. A poor authentication experience is more than a user experience issue: It’s a potential violation of the Americans with Disabilities Act (ADA) and other non-discrimination laws. Following WCAG will improve compliance and guide you towards decisions that benefit all users — without making your security measures any less effective.
For guidance with a specific accessibility issue, send us a message to connect with an expert. To compare your website against WCAG’s Level AA accessibility standards, get started with a free automated analysis.
