In today's technology-driven world, web services have opened up new opportunities for blind and visually impaired people to interact independently. Securing interactions with these services is crucial; however, currently deployed authentication mainly concentrate on sighted users, overlooking the needs of the blind and visually impaired community. In this paper, we address this gap by investigating the security and accessibility aspects of these authentication when adopted by blind and visually impaired users. We model web authentication for such users as screen reader assisted authentication and introduce an evaluation framework called AWARE. Using AWARE, we then systematically assessed popular PC and smartphone-based screen readers against different authentication methods, including variants of 2FA and passwordless schemes, to simulate real-world scenarios. We analyzed these screen reader assisted authentication interactions with authentication methods in three settings: using a terminal (PC) with screen readers, a combination of the terminal (PC) and smartphone with screen readers, and smartphones with integrated screen readers. The results of our study underscore weaknesses in all of our observed screen reader assisted scenarios for real-life authentication methods. These weaknesses, encompassing specific accessibility issues caused by imprecise screen reader instructions, highlight vulnerability concerning observed scenarios for both real-world and research literature based attacks, including phishing, concurrency, fatigue, cross-service, and shoulder surfing. Broadly, our AWARE framework can be used by designers as a precursor to user studies which are typically time-consuming and tedious to perform, independently allowing to unfold security and accessibility problems early which designers can address prior to full-fledged user testing of more isolated issues.

翻译：在当今技术驱动的世界中，网络服务为盲人和视障人士提供了独立交互的新机遇。确保这些交互的安全性至关重要；然而，当前部署的认证机制主要针对视力正常用户设计，忽视了盲人和视障群体的需求。本文通过研究盲人和视障用户采用这些认证方法时的安全性与可访问性，以弥补这一空白。我们将此类用户的网络认证建模为屏幕阅读器辅助认证，并提出了名为AWARE的评估框架。利用AWARE框架，我们系统评估了主流PC端和智能手机端屏幕阅读器在不同认证方法（包括多种双因素认证和无密码方案变体）下的表现，以模拟真实场景。我们在三种设置下分析了屏幕阅读器辅助认证与认证方法的交互：使用配备屏幕阅读器的终端（PC）、终端（PC）与智能手机结合配备屏幕阅读器，以及集成屏幕阅读器的智能手机。研究结果揭示了所有观察到的屏幕阅读器辅助场景在实际认证方法中均存在缺陷。这些缺陷包括因屏幕阅读器指令不精确导致的特定可访问性问题，突显了在现实场景和基于研究文献的攻击（包括钓鱼攻击、并发攻击、疲劳攻击、跨服务攻击和肩窥攻击）中的脆弱性。总体而言，设计人员可将AWARE框架作为用户研究的前置工具——这类研究通常耗时且繁琐——使其能够独立地提前发现安全性与可访问性问题，从而在针对更孤立问题开展全面用户测试之前予以解决。