How Modern Account Security Rules Affect People with Cognitive and Psychosocial Disabilities

Digital services now assume every person can:

• Maintain a stable phone number

• Keep a device safe and operational

• Remember multiple passwords

• Manage authentication apps

• Understand security recovery flows

For many people with cognitive, psychosocial, or executive functioning challenges, these assumptions are incorrect.

What is designed as a security improvement can unintentionally become a communication access barrier.

The Security Model Has Changed

Most major platforms — including Microsoft, Google, Apple, and government portals — now require:

• Two-Factor Authentication (2FA)

• Authenticator apps

• SMS verification

• Backup codes

• Secondary recovery methods

This model protects against fraud and identity theft.

However, it also introduces dependency on device continuity and procedural memory.

For clients who:

• Change phone numbers frequently

• Lose, damage, or replace devices

• Rely on retail staff for phone setup

• Have limited working memory

• Experience impulsive decision-making

• Have reduced tolerance for administrative complexity

The security model becomes fragile.

The Real-World Pattern

In practice, common triggers include:

1. Client receives unwanted calls → changes number at a store.

2. Client smashes or loses phone → buys new device.

3. Retail staff activate new SIM under new account for commission.

4. Old number is disconnected immediately.

5. Online accounts still depend on old number for verification.

6. Authenticator app was never backed up.

7. No backup codes were generated.

8. Client is now locked out of security settings.

At this point:

• Password resets may work.

• Email access may partially work.

• But account security settings cannot be modified.

• Phone numbers cannot be updated.

• Authenticator cannot be restored.

• Recovery options are exhausted.

The account becomes functionally restricted.

Why This Is So Serious

For many special needs clients, email is not casual communication.

It is:

• Primary contact channel for NGOs

• Health department notifications

• Appointment confirmations

• NDIS documentation

• Plan reviews

• Medical referrals

• Housing communication

• Government correspondence

When account security becomes unstable:

• Communication continuity is at risk.

• Deadlines may be missed.

• Service coordination can break down.

• Anxiety and distress increase.

• Client independence is reduced.

This is not a convenience issue.
It is a participation issue.

The Structural Mismatch

Modern MFA systems assume:

• Stable identity anchors

• Device persistence

• Executive planning capacity

• Digital literacy

Many vulnerable clients operate in environments where:

• Phones are replaced impulsively

• Phone numbers change reactively

• Devices are damaged or lost

• Credentials are not stored securely

• Backup codes are not understood

• Retail environments do not consider digital ecosystem dependency

The result is a systemic mismatch between security design and lived reality.

The Circular Lockout Problem

When:

• Authenticator app is the only second factor

• Phone number is outdated

• No backup codes exist

• No secondary email is configured

The system creates a circular lock:

• To change security settings → authenticate.

• To authenticate → use the authenticator.

• To restore authenticator → authenticate.

There is no bypass.
The architecture is functioning as designed.

But for vulnerable clients, this can mean permanent loss of account control.

Cognitive Load and Security Complexity

Two-Factor Authentication adds layers of abstraction:

• “Something you know” (password)

• “Something you have” (device)

• “Something you receive” (SMS or app code)

For individuals with:

• Memory impairment

• Impulse control issues

• Executive dysfunction

• Low digital confidence

• Trauma-related avoidance

Each additional layer increases failure probability.

Security resilience increases.
Access resilience may decrease.

Retail Environments and Commission Incentives

Phone stores frequently:

• Issue new numbers instead of porting existing ones

• Activate new accounts to increase commission

• Do not assess downstream account dependency

• Do not warn clients about MFA implications

For cognitively vulnerable clients, this can unintentionally sever digital identity anchors across:

• Email accounts

• Government services

• Banking

• Healthcare portals

• Social platforms

The phone number becomes a hidden keystone in a complex identity system.

Disability Inclusion Perspective

From an accessibility standpoint, this raises important questions:

• Is MFA cognitively inclusive?

• Are recovery pathways accessible for people with impaired memory?

• Do digital platforms assume executive function capacity?

• Should vulnerable users have supported authentication structures?

Digital inclusion is not only about screen readers or physical access.

It also includes:

• Identity stability

• Authentication resilience

• Communication continuity

Risk Amplification in Special Needs Contexts

The following compounding factors are common:

• Multiple service providers requiring digital communication

• High dependency on government systems

• Limited tolerance for bureaucratic processes

• Anxiety escalation during lockouts

• Reduced ability to complete detailed recovery forms

• No secure method of storing backup codes

Without structural support, clients may cycle through:

• Lockout → account recreation → data fragmentation → confusion → increased vulnerability

Practical Mitigation Strategies

1. Remove Phone Numbers as Primary Anchor

Phone numbers are volatile in this population.

Instead:

• Establish a stable recovery email account.

• Store credentials with trusted support.

• Add multiple authentication methods.

• Avoid leaving authenticator as sole factor.

2. Implement Identity Stabilisation Protocol

Before changing phone numbers:

• Log into all major accounts.

• Add secondary email.

• Generate backup codes.

• Confirm alternate MFA method.

• Only then proceed with SIM change.

3. Create Communication Redundancy

Where possible:

• Forward primary email to secondary account.

• Ensure NGO contacts have alternate email on file.

• Maintain documented credential structure.

4. Support Worker Training

Support workers and carers should understand:

• MFA dependency chains

• Risks of number changes

• Importance of backup codes

• Need for authentication redundancy

This is an assistive systems issue, not a basic IT task.

The Bigger Conversation

Security architecture prioritises fraud prevention.

For most users, this is appropriate.

But for vulnerable populations:

• Excessively rigid authentication can become exclusionary.

• Digital identity becomes fragile.

• Independence can be reduced rather than enhanced.

As services increasingly move online, authentication stability becomes part of functional capacity.

This is not a minor inconvenience.
It affects:

• Healthcare access

• Government engagement

• Financial participation

• Community inclusion

Conclusion

Modern security rules are not inherently flawed.

However, they are designed for cognitively stable, digitally literate users with consistent device ownership.

For people with cognitive, psychosocial, or executive functioning challenges, these systems can unintentionally create barriers to communication and participation.

The solution is not weaker security.

The solution is structured, supported identity architecture.

For vulnerable clients, digital identity must be treated as assistive infrastructure — not as an afterthought.

Stability in authentication is stability in access.