Typically, users log into accounts using a user name and password. For example, a user may use a web browser to log into their bank account information. The bank's web page requests the user's name and password, and then grants access to the user's account if the correct information is provided.
Unfortunately, users' names and passwords are compromised every day. Thieves, e.g. hackers, may steal names and passwords directly from a user's computer or from user information stored by corporations, e.g. banks, etc. Sometimes users employ the same user name and password for many or all of their online accounts. In such cases, a thief need only trick an unsuspecting user into establishing an authorized account on a thief's counterfeit web site. When the user creates the account, the thief is given the user's name and password, and the thief now has access to all of the user's online accounts.
One solution to the problem is for users to authenticate their accounts using a physical dongle device, e.g. an authenticator. An authenticator is a second factor credential device that periodically calculates a unique code known also by the website hosting the account information. The user reads the code from the authenticator, and enters the code along with their user name and password.
For example, a user may navigate to their bank's log in web page. The bank requests a user name, password, and authenticator code. The user enters their user name, password, and then copies the authenticator code from the authenticator dongle device onto the computer. The authenticator code is generally only good for one use and for a limited time. After the user uses the code or after some time has expired, the user must wait, e.g. 30 seconds, for the authenticator to generate a new code.
However, use of an authenticator device can be problematic for visually impaired users. Without the ability to visually read the authenticator code from the authenticator, it is impossible for visually impaired users to retrieve and use the authenticator code. Furthermore, users wishing to use an authenticator in a public place are often concerned with “shoulder surfers,” e.g. a thief looking over the users shoulder and copying the code. This leads to an inability to log into accounts protected with the user's authenticator.