Accessibility is Key to Arkose Labs’ Enforcement Challenges
Accessibility is the practice of making products and services usable by as many people as possible. Mindful of the need to make its enforcement challenges universally usable, Arkose Labs considers accessibility a core requirement of all its challenges and goes beyond the narrow scope of catering only to the visually challenged people
The digital world is a hotbed for cyber attacks. There may not be a single day that goes without a person or organization somewhere around the globe being attacked. Businesses are investing in fraud defense mechanisms to fight this scourge. However, often they end up allowing bad actors in while quarantining good users.
In a bid to make digital journeys for their customers smooth, businesses are aiming for zero friction. However, this can be counterproductive as businesses will then need to necessarily classify all incoming traffic and good or bad, and either allow or block users depending on the binary assigned to them. Should this binary go wrong, businesses may end up blocking good users and allowing bad actors in.
Why accessibility is crucial
The answer to this dilemma is targeted friction, which is especially useful for the traffic in the gray area. Targeted friction in the form of interactive challenges can be an effective barrier to stop bad actors from having a free run. Having said that, challenges must be robust enough so that they cannot be solved by automated scripts or advanced bots trained in machine vision technology. They must also be user-centric enough and inclusive to let users of all types of abilities solve them. This is where accessibility comes in.
Of course, we are required to fulfill our legal obligations where accessibility is concerned. However, we also consider it our moral obligation to help users of all hues and shades to be able to authenticate themselves regardless of their abilities. So we want to take it one step further and make sure that users have a good user experience. Therefore, we need to consider accessibility a core requirement of our interactive challenges in order to make them suitable for a majority of good users as well as for edge-case good users.
Bring in the experts
A worthwhile first step is acknowledging that accessibility is a very complex territory. Without the proper resources, it will be difficult to achieve good results. It is a worthwhile investment to upskill your team, hire accessibility experts, and run user testing of your site or app on groups with specific impairments. The learnings from these activities are invaluable, and may very well spell the difference between creating a good user experience and a very poor one, leaving your company vulnerable to potential litigation.
I am pleased to say that Arkose Labs has taken some major leaps forward in this respect, and is investing heavily in this area, working closely with experts and customers. One of the major steps is joining the World Wide Web Consortium (W3C), which is also the main international standards organization with its members working together to develop the standards for the World Wide Web. I plan to take a seat at the W3C table in some accessibility groups to keep our finger on the pulse.
Built-in accessibility from the start
Too often, accessibility is unfortunately just an afterthought during product development. Adding accessibility to a finished product will at best be difficult, and at worst may turn out to be impossible or require a major refactor. A better approach is to consider accessibility a core requirement right from the start. Not only will this generally lead to a better outcome, but also with fewer problems along the way. Accessibility is tricky enough at the best of times – no need to make it harder than it needs to be.
Considering accessibility early on may even inform your technology choices – some web technologies are inherently inaccessible and might be best avoided altogether if possible.
For example, the original Arkose Labs enforcement challenge was built using HTML canvas technology. That allowed us to draw graphics on that canvas on the fly, thereby achieving smooth animations and user interaction. But the content of the canvas was completely invisible to screen readers because those tools considered the canvas to be a graphic element only. To allow screen reader users to solve our challenges, we had to create an alternative user path that didn’t use canvas. That worked – but it was probably more difficult than it needed to be.
Our current enforcement challenges on the other hand are based on standard HTML5, which has a lot of in-built accessibility capabilities. We now can take advantage of this in-built accessibility, without the need for creating alternative user paths.
Accessibility goes beyond blindness
Another common pitfall is to have a focus that’s too narrow. It’s easy to fool yourself into thinking you’ve catered for the visually impaired just because your website works with screen readers. But that is definitely not enough. In the category of visual impairments alone, there is a wide range of abilities to consider such as full blindness, partial blindness, or color blindness. Other users may struggle with low contrast, experience blind spots, or are light sensitive. Then there is a whole range of different assistive technologies that may help with some of these impairments, such as screen readers, electronic braille displays, screen magnification software, and so forth, from various vendors.
The same vast range can also be found in each of the other disabilities categories – auditory, cognitive and motor impairments, with an even more impressive list of available assistive technologies, plus the chance to encounter more than one impairment in the same user.
Suffice to say – there is enormous variety.
Because of this huge variety, it may not be the best approach to try and cater to individual impairments. The better approach is to focus on individual requirements because the same requirement will often help a variety of users. For instance, it’s an accessibility requirement for apps or websites to be keyboard operable. By building good keyboard support into our challenges we have enabled motor-impaired people who are unable to use a normal mouse to either use their keyboard or keyboard emulators such as switch devices or sip & puff devices to solve our challenges. At the same time, keyboard support also enables blind users to navigate our challenges using screen readers.
Follow best practices and remain compliant
At Arkose Labs, we work with brands that have a global presence and users. As such, we are obligated to comply with a large amount of accessibility legislation in each of the represented countries. In the United States, these are commonly the ADA (Americans with Disabilities Act) and Section 508, but other countries have equivalent laws.
The Web Content Accessibility Guidelines (WCAG) distill the legal requirements into a set of actionable best practices organized around the high-level requirements to make content perceivable, operable, understandable, and robust. Following WCAG is the best way to ensure that your site or app complies with compliance efforts continuing as we continuously develop the product. We are making continuous efforts to not just fulfill our obligations, but want to make our enforcement challenges as accessible and enjoyable to as many users as possible.
That said, even accessibility cannot be a reason to compromise on security. That for us is the fundamental requirement. Fraudsters, we know, are creative and would try and exploit any possible way to get an easier challenge. We cannot simply offer easier challenges to users who may struggle with a standard challenge, but, instead, we have to devise clever solutions that won’t compromise either of these factors. Research, adherence to best practices such as WCAG, and working with accessibility experts can provide guidance in such situations.
Arkose Labs’ accessibility
Arkose Labs strives to ensure that our enforcement challenges are easily accessible to all user demographics, without compromising on security.
In addition to supporting a variety of assistive technology, our challenges are inherently accessibility friendly: The user has the choice between two alternatives, audio or visual, depending on their ability and preference. The challenges use familiar images or sounds combined with simple language as much as possible. There is generally no time limit on providing an answer, and if a wrong answer was provided, the user is shown hints and given the chance to retry, without any limit on the number of retries.
We continuously seek invaluable guidance from accessibility experts, who help us with compliance testing, WCAG certifications, as well as user testing to go above and beyond.
To learn how Arkose Labs uses accessibility in the development of enforcement challenges, contact us now.
*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Hedda Peters. Read the original post at: https://www.arkoselabs.com/blog/key-to-arkose-labs-enforcement-challenges-accessibility/
