The Captcha Conundrum & Accessible Alternatives
When a website needs its visitors to prove they’re human, what is the most common technique developers use? If you’ve used the internet, you already know the answer. It’s CAPTCHA.
Ever wondered what all those letters stand for? Completely Automated Public Turing test to tell Computers and Humans Apart. Now you can win Jeopardy if that question is ever asked.
CAPTCHA is generally easy for people with normal eyesight to complete, but it presents a lot of problems for people like me with vision impairments. We need an alternative that isn’t just visual.
For example, I wanted to contribute to the accessibility pages on Wikipedia recently and decided to make an account. I thought the process would be easy to register and start making edits, but I was quickly proved wrong. It requires solving a CAPTCHA.
I thought there might be an alternative method to complete my registration, but the whole exercise to find an alternative on Wikipedia frustrated me. In fact, I never found an alternative that day that used audio or a one-time confirmation code sent to a mobile device.
This is what it’s like to be a visually impaired person who uses the internet. Even the world’s most popular sites aren’t completely accessible.
CAPTCHA technology has evolved through the years, but there are a lot of small things that have not changed. I eventually learned that Wikipedia offers an alternative method that requires Requesting an account.
I believe we can make the process more robust
This problem is not something that should be blamed entirely on Wikipedia. The real problem is that we’re fighting spam with CAPTCHA systems that are outdated and inaccessible. In this instance, the CAPTCHA was image-only and its refresh button is not keyboard accessible. It also doesn’t offer any alternatives for users to bypass it.
People with all types of disabilities struggle with CAPTCHA systems, but the groups most affected are the low-vision and blind users. This is the specific reason CAPTCHA is included as part of non-text content in WCAG guidelines. But even then, a downside of providing visual and audio CAPTCHA options is that users who are deaf and blind cannot access either one.
Now that you know the problems CAPTCHA presents for people with disabilities, let’s look at some alternatives to only using visual and audio CAPTCHA variations:
Emails and Text Messages
One of the most efficient ways to verify a user is to provide a verification code. Since these security codes are sent by email and placed between words in a sentence, it is difficult for a bot to identify and complete the transaction.
Text messages, also known as one time passwords (OTP) for phones, are the most secure way to verify if someone is human. A user who is filling out a form or seeking the information cannot finish a transaction with a fake phone number or other people’s phone numbers.
Many platforms have adopted 2-factor authentication (2FA), which sends text messages to mobile devices. These platforms also logout users from all of their devices when they suspect a security breach has happened or multiple failed login attempts have been made.
The Honeypot Method
A honeypot is a system that tricks bots into making submissions using an invisible form. When this technique is used, the text field is removed from the DOM for keyboard users. When bots submit the form by filling the honeypot, the transaction fails. A lot of spam form submissions can be avoided with this technique.
Logical or Mathematical Tests
These tests present users with a simple question that needs to be answered, such as “Is fire hot or cold?” Many times, like in this example, the answer is provided either within the question or on a separate line.
The only drawback to using this method relates to cognitive overload. Some users with cognitive disabilities can have a difficult time understanding how to respond. Anyone using this method should remember to keep the answers to their questions simple. Otherwise, even humans won’t be able to understand them.
Phone Call Verification
Some platforms only provide a security verification code through an automated phone call. While this is secure, it presents a problem for users who are deaf.
One of the most popular CAPTCHA systems is Google’s reCAPTCHA. It only has a box to check and asks if you are human. Nothing else is required.
More than all the others, this has been more accessible for me than the other systems. As long as Google recognizes you, then it allows you through the system.
The biggest problem I see with this type of CAPTCHA is that it often labels screen reader behavior as a bot. This type of verification can also time out before a person finishes the task to check the box, which leads to a transaction failure.
Some screen reader users have also had issues with sites that use this where a message is read out as “this site is protected by reCAPTCHA” in the footer section of the page. However, on the front end, there is no checkbox or any kind of challenge for the user to complete.
One of the most interesting CAPTCHA solutions I’ve come across is hCaptcha, which requires a user to sign-up with the solution provider. Then, whenever they come across an hCAPTCHA, they pass automatically. I believe a cookie is inserted into the user’s device to identify them as a human. You can learn more about this solution on the hCAPTCHA website.
How You Can Help Solve The CAPTCHA Problem
If you are fighting spam using any of the CAPTCHA systems or methods I’ve mentioned here, please remember there is a large group of internet users who cannot access most of the legacy methods still in the market.
Also keep in mind that people can have more than one disability when you consider verification systems. It’s always better to offer multiple options that work for multiple types of disabilities than just one or two. It will significantly help people with disabilities, and it should also result in more conversions and recurring customers on your website.
Nice article. This has been on my mind for a while now.
I wanted to mention that due to alpha imaging, your lead illustration is illegible when in dark mode agitating as dark grey on black.
I shared the story and discover this result in posting to my team.
Images on this site are new addition, my visual assist is working on them & she has extraordinarily little accessibility knowledge. I will work with someone who can investigate this & got some experience in accessibility space. As a blind person it is difficult to investigate things like these.
Thanks for sharing this info.
*agitating meant to be appearing
Nice article! If Google decides you are suspicious, they make it impossible to pass their audio challenge. A correct answer will fail. I have noticed this when using a VPN. Even if it works, it is still impossible for many people with hearing disorders. hCaptcha seems like the best solution so far.
Agree, I had challenges with google captcha system, the hack I follow is that I use the Gmail account while activating the checkbox. Hcaptcha seems like a suitable alternative & I gave it a spin, for now I like the experience.
“CAPTCHA is generally easy for people with normal eyesight to complete…” Sorry, I disagree completely. They stink for everyone. If all of the tech companies in all of the countries of the world wanted to end spam and hackers, it could be done. But they would lose lots of money.
I wrote the post from the perspective of someone who is blind like me. When I get challenged with a captcha, I ask my visual assist to help with it. My visual assist gets through the captcha in few seconds. So, this gave me the reason to put those words in there.
I agree with your comment.
Hi Raghav thanks for sharing the captcha resources like hcaptcha. Have been in search of various alternatives.
I’ve got a question about CAPTCHA’s in general:
Why is it my responsibility as a user to help a site prevent spam? It’s not my fault that spam exists, so why should I be blocked to use any part of any website for any purpose? It’s easy to pass the buck to users, but is that fair?
In my opinion the exemption in WCAG for CAPTCHA only applies to the text alternative for an image CAPTCHA. So the reCAPTCHA checkbox needs to pass all success criterions including “Timing Adjustable” and “Non-text Contrast”, therefore it’s use is not WCAG 2.1 AA compliant as far as I can tell.
Also see https://www.w3.org/TR/turingtest/
“It is important to understand the limitation of the WCAG CAPTCHA exemption. It applies only to the content of the CAPTCHA. WCAG still requires that alternative text identify the graphical object as a CAPTCHA. Conformance with all other WCAG guidelines also remains critical for web accessibility.”
Yes, as users we are not supposed to be fighting spam, there should be more automation and secure alternatives.
You are correct, the captcha systems like google reCAPTCHA is not fully WCAG compliant. Most of the times the checkbox allows user to pass through security and when it fails the audio is not useful as it is not clearly audible.
I agree with each of your points, I added google reCAPTCHA and will consider removing it. In my view google reCAPTCHA is mostly allowing users pass the captcha by checking the checkbox. All points you made are valid and I will update the post.