ABT Associates

Abt Associates is an engine for social impact, fueled by caring, curiosity and cutting-edge research that moves people from vulnerability to security. Abt works persistently to make life easier for its customers by applying new technologies and rigorous technical solutions to programs that improve lives around the globe. 

Two-factor authentication is a popular access security method which has certainly become of utmost importance in the virtual world, and we believe that irrespective of the area of operation, geographic location or physical disability, one should be able to utilize its potential to safeguard user accounts.

miniOrange partnered with Abt associates to come up with a solution to one such unique challenge of enabling 250+ visually impaired users to be able to utilize the competency of two-factor authentication. The solution was delivered in an ambitiously narrow timeline.

Key Requirements - 

The requirements put forward were pretty straightforward, albeit a few niche challenges specific to this use case. The following are the requirements majorly focused at while deriving a solution to the same - 

• Two-Factor Authentication to be enabled for 250+ visually impaired users of the client’s site.

• The authentication factor should not only be "something the user has", but also a viable 2FA method that can be used without any trouble by the visually impaired and therefore Hardware Token - YubiKey 5, would be the authentication method.

• Since the users are visually impaired, the client needs to ensure that the user fills and submits the required text-field for authentication with ease and no further assistance is necessary.

Implementation

The module used to fulfill the requirements put forth by Abt Associates is the miniOrange Two-Factor Authentication module.

The Hardware token used to implement the solution is YubiKey 5 which utilizes Universal second factor or U2F. U2F is an open protocol for second factor hardware keys with a built-in mechanism to verify that the user is on the right website.

A hardware token is more reliable in terms of security than a software token because of its ability to avoid and defend the website against phishing attacks. It makes use of the website domain in the process of key generation and therefore ensures that the site (user is logging in to) is legitimate. 

The end-user is aided by a text-to-speech software which guides and instructs them throughout the login flow. The software verbally prompts the user with the contents of the page. Once the user credentials are inputted into the login form, the user is expected to insert the hardware token into the port which again is instructed to him/her by the software itself.

There are a few important things that we had to customize for the use case to make the access security method accessible for the visually impaired users.

• When two-factor authentication (2FA) is invoked, the text field in which the key has to be entered should be autofocused already. Since the users are visually impaired, for convenience, autofocusing the text-field would allow the user to directly press the button on the YubiKey and the key shall automatically be filled in.

• The user would be prompted to press the button on the YubiKey. The YubiKey, in turn, sends out a text string of a specific number of characters to the text-field as if the user is generating it.

• As soon as the YubiKey code is filled in the text-field, the form is auto submitted and this again improves accessibility for the physically disabled user.

• As soon as the form is submitted, the YubiKey is validated. The module verifies the validity of the code submitted, and the configured YubiKey itself does not connect to the internet.