Author: Joshue O Connor. Senior Accessibility Consultant CFIT email:joshue.oconnor@cfit.ie
In this position paper we examine what user testing is, why it is important and how it can help, if included in the design of secure user interface elements, to ensure that people with disabilities do not have their user experience compromised by the addition of enhanced security features. The paper also raises the issue of the need for developers to accomodate the diverse requirements of users of assistive technology when developing security features in web applications so that these enhancements can be truly inclusive.
CFIT is interested in the workshop as we are actively involved in Ireland as advocates for increased user involvement in ICT development cycles and promoting the adoption of accessible web development practices in order to help create a more inclusive society. This includes the user testing of Web Applications and User interfaces as well as assessing their overall accessibility.
CFIT wish to ensure that the practice of user testing gains a higher level of visibility and significance within ICT development cycles. We see user testing as an important part of the process of successfully developing new modalities for user interaction.
Describing user interaction in multi-device applications from an end-to-end perspective.
User testing involves observing a diverse range of users including older people and people with disabilities carrying out specified tasks on your website. People with disabilities would be using their respective assistive technologies such as screen magnifiers or screen readers. User tests offer an immediate way of gathering evidence of where there are causes of difficulty, confusion or frustration, for the user.
A good user test can confirm where good design and development practice has paid off - in terms of increased usability - and also where improvements need to be made.
Guidelines such as WCAG [1] and ATAG [2] exist in order to provide a framework and examples of best practice for user interface designers and web developers. However, even if you have followed accessibility guidelines, it may still be very difficult to be sure that your user interface is easy to navigate and that it works well with assistive technologies. User testing is a way of assessing how successful your design has been.
User testing takes accessibility and usability off the theoretical platform for developers and grounds these practices in a very real way. Good accessibility and usability are no longer an esoteric exercise as what is both good and bad about your design and development process comes into sharp focus.
User testing is a very useful assessment and evaluation method. It can be used in a granular fashion to test and fine tune specific parts of a user interface or to provide an overview of a system’s overall usability and accessibility. As an assessment mechanism it is therefore highly flexible.
Due to the speed of technological change there is more than ever a need for greater access to user testing facilities and skilled usability professionals who are experienced working with a wide range of users and who also possess a deep understand of the diversity of user requirements. This is so developers, as well as those who define and describe standards, can ensure that the interfaces are usable - and the promise of technological stability and greater interoperability deliver within the scope of what users really need.
User interaction should therefore be considered in its broadest sense when building user interfaces by not focusing merely on testing usability in a modular fashion, for example by looking at only the security interface or the login feature. A holistic approach is required to ensure that at every step the users needs are always considered and the application is fully tested in its entirety.
Approaching user interaction in this way will help create an overall sense of consistency and well roundedness for the user as they navigate the system and perform various tasks. However, not to take this approach could result in a system having several more accessible and usable ‘parts’, such as a login interface or secure 'widgets', which could result in an inconsistent and uneven user experience.
Many designers develop their interfaces with a flawed mental model of who their end users are and what their abilities will be. They often make assumptions about the end users abilities that are either limited, often in the extreme, or are unrealistic, often in the extreme. This is to suggest that the end user may be thought of as potentially unable to perform basic tasks when interacting with an interface that they may quite happily do. The obverse is also true in that when presented with a complex interface the user may also be expected to understand and instinctively ‘know’ how to navigate the interface.
The reality is that there may well be no model user, in the sense of some Platonic ideal. However, it is possible to conceptualise schemata for model users who can very successfully and comfortably use an ICT or navigate a complex interface or security feature within the scope of their own ‘model of interaction’. I am referring implicitly to users of assistive technology. This may be a blind screen reader user who when navigating a complex form or web interface can often complete the form more quickly than a sighted person. It may be an experienced switch user with very limited physical movement who by using a combination of a switch [3] and scanning software [4] can perform tasks such as sending email or browsing the Internet. These users could be considered ‘model users’ within their own modality. They are users who according to their own ability, are being empowered by their assistive technology to perform the task in hand successfully. Good user interface design facilitates the successful navigation of the interface allowing the completion of the desired tasks.
Important considerations for the workshop are the challenges raised in dealing with trust, identity, privacy and security. How are these challenges to be addressed? Will current declarative languages be sufficient? Are the existing semantics of declarative languages enough?
Current methods for enhancing security include the SSL handshake [5], using cookies [6], or HTTP Auth Handshake [7]. 1 Other work is being done by the W3C Web Application Formats (WAF) Working Group [8] to explore secure interface widgets [9], these widgets refer to web applications that are small client-side applications for displaying and updating remote data, packaged in a way to allow a single download and installation on a client machine or mobile device. The application may execute outside of the typical web browser interface. Examples include clocks, stock tickers, currency converters, newsreaders, games and weather forecasters. Some existing industry solutions go by the names "widgets", "gadgets" or "modules". But they may have an application as enhanced security features.
When using HTTPS protocol how can the user know if their transaction is truly secure? In most browsers a padlock appears when there is a secure connection but is this a binary modality (either fully secure or not)? Can the connection be partially secure? Newer browsers, such as Firefox 1.5 / 2 and IE 7, also color-coding the address bar to indicate a locked SSL session, but is this sufficient to blind or visually impaired users? Is there a threshold where 80% of the data has been securely transmitted and if below that threshold the user cannot trust the security of the connection? How can important security related information be transmitted to the user who is blind or visually impaired?
As technology marches ever onward there is more of a need for the security pendulum to swing both ways, for more secure user identification and also for the end user to be able to clearly recognise and trust the application they are using. As more data can be manipulated by the server without the need for page refreshes does the more sophisticated level of DOM manipulation increase the potential for more on-line fraud, identity theft etc as data can be more easily manipulated without the knowledge of the user?
Potentially yes. Many of us will have seen complex and slick scams by persons claiming to be PayPal, eBay or your local bank. Whole websites can be designed using cloaked URLs to look like the company they claim to be. However, it is often only when the user performs a mouse over an URL will they see the URL pointing to an anonymous IP address or obscure domain. Many users are not even aware that this should alarm them, so the needs of people with disabilities and users of assistive technology need to be considered and informed design decisions made by developers. Including user testing as a fundamental part of this process may greatly aid user interface and application development as well as potentially future proofing new security mechanisms.
We have established that user testing is very important however not every business has the resources or facilities where they can actively get involved in the process of user testing or for running expensive surveys in an attempt to collate data on specific user requirements.
Should user testing facilities therefore be sponsored by government or subsidised by big business as a part of their corporate responsibility requirements?
The user testing of government web services is a public service that benefits everyone regardless of ability. User testing is therefore a democratising force that should be affordable and accessible to many business types and not only larger companies or government departments as it should be every persons right to quality - usable and secure - web interfaces and applications.
1 Thanks to Gez Lemon for Technical Review and also to Mark Magennis.