With the rise in smartphone usage for accessing and retrieving personal information, it is essential to assure smartphone users are able to protect their devices from unauthorized access. For people with vision impairment, who are blind or have low vision, smartphone accessibility features give them access to various assistive applications. Consequently, it is also essential to assure their privacy and security when using smartphones. Passwords help avoid unauthorized access to personal devices but generally pose challenges to users, like memorability and risk of shoulder surfing attacks, in which someone tries to steal someone else’s password by looking over his/her shoulder. However, little is known about the specific challenges faced by people with vision impairment when using passwords in mobile contexts.
This research project has two main goals: 1) investigate how people with vision impairment deal with passwords, and 2) propose an alternative password-input method more accessible to them. To achieve those goals, we consulted with two experts in accessibility for people with vision impairment from the Canadian Council of the Blind, who provided feedback throughout this project.
We started by conducting an online survey on how people with vision impairment assure their digital security. We collected answers from 325 people who are blind or have low vision from 12 countries. We found that 91% of them have smartphones, but more than two thirds are concerned with typing passwords in public spaces. The main reason for their concern is the risk of shoulder surfing attacks, because entering passwords require them to either use screen readers, which read the password characters aloud, or screen magnifiers, which make the characters easier for others to see. Additionally, we found that most participants consider PIN numbers the least secure method to unlock mobile devices, because they are easy to guess. However, PIN numbers are still the main protection in most smartphones, as even those that have fingerprint readers allow the user to unlock them by typing a PIN number.
Considering the challenges faced by people with vision impairment to protect their smartphones from unauthorized access, we decided to design a flexible device for a more tactile password-input method. From the survey results, we learned that a truly accessible solution for passwords for people with vision impairment should not require precise manipulation of visual items, the use of one’s eyes or keyboards. We also confirmed that by consulting experts at the Canadian Council of the Blind.
We designed BendyPass, our flexible device, with dimensions similar to an iPod touch to be easily carried around, and it enables the user to bend its corner or to fold it in half. To facilitate the user’s access to all four corners of the prototype while holding it with both hands, we designed for use in horizontal position. Designing BendyPass included developing different prototype versions to evaluate variations of material hardness and positions of grooves that indicate bendable areas. We tested each prototype version with specialists in flexible devices and experts at the Canadian Council of the Blind.
The final version of BendyPass is composed of two silicone layers that enclose electronic components, including flex sensors to capture bend gestures, a vibration motor to give feedback when a gesture is recognized, and a button to allow the user to either delete the last gesture entered or confirm the password. We wired all electronic components to an Arduino microcontroller board, powered via a USB cable. Building BendyPass costs approximately 100 Canadian dollars, but it is further developed to have its microcontroller board fitting inside the silicone piece for a wireless device.
We programmed BendyPass to recognize 10 different gestures, including bending each corner upwards or downwards (8 gestures), and folding it in half upwards or downwards (2 gestures). A combination of bend gestures performed in BendyPass is called a bend password. When a user performs a gesture, BendyPass vibrates and also generates audio feedback informing the name of the gesture recognized, such as “Top right corner up”.
To evaluate how easy to learn and how easy to memorize bend passwords on BendyPass are for people with vision impairment, we are currently running a study with people who are blind or have low vision. In the first session of the study, participants learn how to use BendyPass before creating and rehearsing a new bend password. In the second session, about a week after the first one, participants are asked to log in using the password created in the first session. To compare bend passwords and PIN numbers, we also ask participants to create a new PIN number in a touch-screen smartphone.
We envision various applications for BendyPass. It could be paired via Bluetooth to personal devices such as smartphones and computers, to unlock them without typing passwords. It could also be used to log in to various accounts in smartphones or computers, such as email, social media profile and online banking. It could also be connected via USB cable to public computers or to ATM machines, in order to allow users to have a unique point of entry for passwords. Additionally, if flexible smartphones are available in the future, bend passwords could even be entered directly in the smartphones.
Although we designed BendyPass for people with vision impairment, we believe it could also be used by people with dexterity impairments, as it does not require precise selection of items as touch screens. It could also be useful for people with learning disabilities because it allows users to use their “muscle memory” to remember passwords. Finally, it could also be used by people without disabilities, as an eyes-free method to unlock devices and access accounts, allowing the user to log in without having to look at the device.
In summary, bend passwords are a more tactile alternative than PIN numbers, and could replace them when using BendyPass, a light and small device that can help everyone to more willingly protect their personal devices with passwords.