SPIES Lab, Computer Science and Engineering

News: Security and Accessibility Gaps in Web Authentication for Blind and Visually Impaired Users

Posted on by

College Station, TX — June 2025

This news story was fully generated by AI, the text using GPT-4.5 and the image using GPT-4o, with necessary review and corrections by the SPIES researchers.

SHARE THIS

In groundbreaking research presented at the ACM Web Conference 2025 (WWW), researchers from Texas A&M University’s Security and Privacy in Emerging Computing and Networking Systems (SPIES) lab have highlighted significant vulnerabilities and accessibility challenges in two-factor (2FA) and passwordless authentication methods for blind and visually impaired users relying on screen readers.

Illustration showing a blind user using a laptop and phone with screen reader, facing push notification and phishing risks

The study, titled “Broken Access: On the Challenges of Screen Reader Assisted Two-Factor and Passwordless Authentication,” reveals how commonly used authentication methods, such as Google, Microsoft, and Duo’s OTP-2FA, phone call 2FA, push notifications, and FIDO-based MFA, often fail to effectively accommodate the specific needs of blind and visually impaired individuals. Through systematic evaluation using the team’s newly developed Authentication Workflows Accessibility Review and Evaluation (AWARE) framework, researchers found numerous critical security issues, including susceptibility to phishing, notification fatigue, and concurrent login attacks.

Our goal was to expose overlooked gaps in the current authentication landscape that disproportionately affect blind and visually impaired users,” said Md Mojibur Rahman Redoy Akanda, lead author and PhD student working with Dr. Nitesh Saxena. “Despite being promoted as secure and usable, many real-world 2FA and passwordless systems are simply not designed with accessibility in mind.

Key findings highlight how imprecise instructions and insufficient accessibility considerations significantly increase vulnerability for visually impaired users. Specifically, the researchers identified critical conflicts between simultaneous authentication steps (such as receiving OTP codes via phone calls) and screen reader audio prompts, leading to confusion and potential security breaches. Additionally, they discovered screen readers mispronouncing numeric OTPs, interpreting them incorrectly as continuous numbers rather than distinct digits, and observed difficulties in managing authentication prompts when users concurrently used screen readers on both smartphones and PCs.

This research opens up a much-needed conversation at the intersection of accessibility and cybersecurity,” said Dr. Nitesh Saxena, Director of the SPIES Lab at Texas A&M University. “We hope these findings will guide system designers, developers, and policymakers to adopt more inclusive authentication practices—making secure access a right, not a privilege.

This research underscores the urgent need for developers to implement clearer authentication workflows and better integration of accessibility standards. The SPIES team offers concrete recommendations for enhancing security and usability, such as explicit instructions, automated phishing detection, and optimized communication between authentication interfaces and screen readers.

The findings presented at WWW ’25 are a pivotal step toward ensuring digital authentication methods are secure and inclusive for all users, particularly the visually impaired.

To read the full paper, click here.

Citation:
Md Mojibur Rahman Redoy Akanda, Ahmed Tanvir Mahdad, and Nitesh Saxena. 2025. Broken Access: On the Challenges of Screen Reader Assisted Two-Factor and Passwordless Authentication. In Proceedings of the ACM Web Conference 2025 (WWW ’25), April 28–May 2, 2025, Sydney, NSW, Australia. ACM, New York, NY, USA, 13 pages. https://doi.org/10.1145/3696410.3714579

Read more stories like this on AI Spies News.

Follow us on Medium.