- Key insight: As banks have adopted multifactor customer authentication systems, they have inadvertently made it more difficult for many disabled customers to access their accounts. The fix is less complicated than it appears.
- What's at stake: When authentication measures aren't aligned with accessibility standards, it isn't just a user experience problem — it's a security problem.
- Supporting data: More than 70 million U.S. adults have a disability, representing roughly $1.3 trillion in disposable income. Among financial services professionals surveyed by Level Access, 89% say digital accessibility improves customer retention and 88% say it improves customer acquisition.
As an accessibility consultant, I've spent years inside the banking industry helping financial institutions set up and run
As a member and leader within the National Federation of the Blind, I also work with people who've just lost their vision and are learning new ways to use technology.
All of this experience has shown me a problem most security teams don't know they have. Financial institutions have spent years
Here's a common scenario: You're a blind person accessing your bank account. After entering your username and password, you receive a code via text message. Your device's screen reader, which turns on-screen text into audible speech, says: "Thirty-seven thousand, five hundred forty-seven, two hundred million thirty-nine is your verification code."
Someone experienced with assistive technology will learn that the first five numbers are the number from which the code was sent, and the next six numbers are the code they actually need. Over time, they also learn to read these numbers digit by digit.
But for most people, it's a lot to process, and decoding the message is extra work the user shouldn't have to take on. Worse still, failing to decode the message can be the difference between making a critical payment and being locked out of essential services.
The point is simple: When authentication measures aren't aligned with accessibility standards, it isn't just a user experience problem — it's a security problem. Because although they're often perceived as distinct challenges, the truth is accessibility, privacy and security are all overlapping parts of the same authentication problem banks have to solve.
As anyone following the industry knows, banks have gone all-in on multifactor authentication, or MFA, such as one-time codes, face ID, passkeys and magic links in recent years. These are security wins, but they also pose accessibility challenges that most security teams don't foresee.
There's a core design flaw in many MFA flows: They ask users to look at one device and transfer information to a second. For a person with dyslexia, a six-digit code can be a transposition minefield. For someone with a motor disability, manually entering a time-limited code before it expires may be impossible.
Password managers are another flash point. Banks routinely block copy-paste in login fields. For users who rely on password managers, which includes many people with cognitive and memory-related disabilities, this attempt to block robots actually locks out the real human.
I once worked with a team investing significant time trying to make a pattern-drawing authentication exercise accessible, only to find that neither users with disabilities nor users without them actually liked or understood it. It turns out the question we should've asked wasn't how to make it more accessible, but whether that mechanism should have existed in the first place.
The most accessible authentication is often the simplest, but institutions rarely embrace that approach because accessibility and security have historically sat in different silos. Security teams are usually adding barriers — extra steps and verification hurdles to slow down bad actors — while accessibility teams spend their careers removing barriers for smoother user journeys. Both instincts make sense in their own right, but when they aren't working together, you end up with login flows that are overly complicated for everyone.
Worries that information can be kept safe is the top issue that's holding back artificial intelligence-driven tech upgrades at regional banks and credit unions.
To be clear, these are perfectly solvable challenges. Organizations like
ID.me's Trusted Referee solution is another example of how flexibility supports accessibility. Through this approach, a real, live ID.me representative guides a user through identity verification via video, while still maintaining the highest privacy standards. For those who might struggle with automated proofing, this option makes the process seamless while protecting user data.
The outcomes speak for themselves. A young person with a developmental disability needed to apply for Social Security benefits and the standard authentication flow wasn't going to work for them. With a Trusted Referee, they completed the process themselves. That's accessible and secure authentication.
The good news is that technology is trending in the right direction. Phishing-resistant, password-less methods, like passkeys and biometrics, are both more secure and more accessible than the one-time code flows they're replacing.
However, not every customer has the device literacy, hardware or confidence to rely on them as a sole option. Alternative, accessible paths remain essential while the ecosystem matures.
The market case reinforces that urgency. More than
Stated simply: Inaccessible authentication isn't just a liability — it's a missed market.
The fix isn't as complicated as the problem sounds. In most cases, it starts with a few organizational changes, not a technology overhaul.
The institutions getting this right aren't doing anything radical. They're auditing accessibility and security at the same time, as part of one workstream, and comparing notes. They're pressure testing new authentication methods with users with disabilities before building them, instead of retroactively applying workarounds. And crucially, they've stopped budgeting accessibility as purely a compliance expense, framing it instead as what it truly is: customer retention and market share.
The banking industry was built on the premise that everyone's money deserves protection. Let's make sure "everyone" is actually getting what they need.
