Our study is composed of two 60-minute sessions with participants who are either blind or have low vision. In the first session, participants create, confirm, and rehearse a bend password on BendyPass and a PIN number on a touch-screen smartphone. In the second session, about a week after the first session, participants use the passwords created in the first session to complete five successful log ins.
While in the first session, we evaluate the learnability of bend passwords, in the second session we evaluate the memorability of bend passwords and the level of effort required to enter passwords using BendyPass. Our research protocol was reviewed and approved by Carleton University’s Research Ethics Board.
First study session
In the first session, we ask participants to answer some questions about themselves, their use of passwords and their perceptions on security and accessibility of different password-input methods, such as alphanumeric passwords and fingerprint. Then, we present either BendyPass or a smartphone (iPhone 6S) to participants, in counterbalanced order. For each device, we explain how to use to create a password, how to delete password characters (digits or gestures) and how to confirm a password entered.
Then, we open the prototype website for participants to familiarize themselves with the smartphone application and the prototype gestures, by receiving the audio feedback from the website. Participants were asked to practice each bend gesture at least twice, but as soon as participants said they were ready to create a password, we asked them to create a memorable and secure password containing at least 6 digits/gestures. We also asked participants to create a new PIN rather than reuse an existing one.
Participants create either their PIN number on the smartphone or their bend password on BendyPass by interacting with the devices, while our website saves all the information entered. After creating a password, participants have to successfully confirm it three times. Then, we ask participants questions about their perceptions on the easiness of creating the new password and its security. Finally, we ask participants to complete five successful log ins to rehearse their passwords, to memorize them for the second session. Then, we present the second device to participants, following the same protocol. The order of presentation of the devices is counterbalanced to reduce learning effects.
At the end of the session, after participants have interacted with both devices and created passwords with them, we ask some post-task questions about their experience and their perceptions about BendyPass.
Second study session
Approximately one week after the first session, participants return for the second session, in which they have to re-enter their passwords. We start by asking participants about their confidence on remembering each of the two passwords created in the first session. Then, participants have as many attempts as they need to complete five successful log ins in each device, one at time, presented in a counterbalanced order. We end our session by asking participants to answer questions from the NASA Task Load Index to evaluate the effort required to use each device, and finish by conducting a semi-structured interview about participants’ perceptions and feedback on BendyPass.