Effective alternatives to inaccessible CAPTCHAs

A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) improves website security by checking that an online form has been completed by a real person, not a machine.

CAPTCHAs typically work by displaying an image of distorted characters that must be correctly replicated before online forms can be submitted. Since machines don’t have eyes and can’t rely on Optical Character Recognition (OCR) when letters are distorted, CAPTCHAs are usually quite good at separating people from machines.

The letters 's', 'm', 'w' and 'm' are visually distorted.

CAPTCHAs are implemented purely to stop spammers. The negative impact CAPTCHAs can, and often do, have on user experience often seems to be overlooked. Check out this list of top 10 worst CAPTCHAs to discover just how frustrating they can be.

More than just frustrating, CAPTCHAs can be entirely inaccessible to people with a disability or impairment. Blind users, for example, rely on screen readers such as JAWS, NVDA or VoiceOver to read out the content of a web page. But screen readers are machines too, and are unable to decipher text in an image, such as those used in CAPTCHAs. They need a text alternative (‘alt’ text), but to supply this for a CAPTCHA would be counterintuitive for security. This video from The American Foundation for the Blind demonstrates how CAPTCHAs on social networking sites shut out blind users.

People with low vision may also struggle with CAPTCHAs because the text becomes blurry when magnified. Similarly, the distorted characters can be hard to decipher by people with some cognitive disorders, such as dyslexia.

''

Not a new issue, In 2011 Tim Kadlec called for death to CAPTCHAs and made a strong argument against their use: “Spam is not the user’s problem; it is the problem of the business that is providing the website. It is arrogant and lazy to try and push the problem onto a website’s visitors.” And more recently, major Australian consumer advocacy organisations have launched a campaign to “kill CAPTCHA”. Let’s explore our options…

Can CAPTCHAs be accessible? 

We’re often asked if CAPTCHA can be used in accessible web form security. The answer is yes, however, the form elements must (in accordance with global web accessibility standards – the Web Content Accessibility Guidelines (WCAG) version 2.0):

  • Have a text alternative that clearly defines the purpose of the primary CAPTCHA such as “Type the word in the image” or “Type the letters spoken in the audio” (WCAG G143).
  • Provide an alternative modality to the primary CAPTCHA (WCAG G144).
  • Be keyboard accessible in logical sequence, and meet all other WCAG success criteria such as sufficient text colour contrast, text zoom and motion control.

Accessibility is hard to achieve with visual CAPTCHA, and commonly a poor experience for most website users. For this reason we recommend text-based CAPTCHA alternatives, logical thought systems and other visual CAPTCHA alternatives that can be more usable and accessible. Before we get into these, let’s first have a look at a few visual CAPTCHA security options.

Visual CAPTCHAs

reCAPTCHA

 

reCAPTCHA showing two distorted word images, a text field for users to type these words, and buttons to reset the CAPTCHA, get help or request an audio version.

Google’s reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. Google claims, “It's accessible. reCAPTCHA has an audio test that allows blind people to freely navigate your site.” However, sometimes the letters are so distorted that they become impossible to read. Also, the ‘play’ button for the audio alternative is not keyboard-accessible and the sound is often as garbled as the text is distorted.

“My experience with audio CAPTCHA has been almost as inaccessible as visual CAPTCHA – I must have listened to the Skype audio CAPTCHA 20 times before I gave up and asked my sighted friend to set up my account,” said ACCAN disability policy advisor Wayne Hawkins, who is blind.

All in all this is not a great experience for your users and may even turn people off your website.

No CAPTCHA reCAPTCHA

Checkbox with the statement 'I'm not a robot' beside it.
Google’s most recent development is No CAPTCHA reCAPTCHA, which it says “radically simplifies the reCAPTCHA experience.” Already installed on a number of sites, I tested it on snapchat.com. It works like this:

 

  1. Stage one: Tries to identify you as human rather than a robot by monitoring your behaviours when checking an “I’m not a robot” checkbox.
  2. Stage two: If it can’t verify your behaviours then a traditional reCAPTCHA window is provided for users to complete verification.

If it identifies you as a non-robot from the outset (stage one) then verification is quick and easy for all users.

Green tick beside statement: 'I'm not a robot.'

However, this doesn’t seem to happen very often. Most of the time, checking the checkbox only partially validated my humanity, which meant I had to complete a traditional reCAPTCHA each time as well (stage two).

No CAPTCHA reCAPTCHA has defaulted to traditional reCAPTCHA using distorted characters. An audio icon is shown at the bottom of the reCAPTCHA.

 

The No CAPTCHA reCAPTCHA is keyboard accessible (already an improvement over its predecessor), but support for assistive technologies* is varied.

 

The tool works really well for NVDA screen reader users with Firefox. However, keyboard accessibility doesn’t seem to work for JAWS screen reader users with Internet Explorer, meaning these users are unable to complete stage two at all.

 

The No CAPTCHA reCAPTCHA shows a lot of promise because it relies on user behaviours to determine humanity, only falling back to traditional reCAPTCHA (stage two) when it can’t make a determination. Perhaps in time this fallback won’t be required as Google improves its algorithms.

 

*Tested using Internet Explorer 9 with JAWS 14, Firefox 33 with NVDA 2014.2.

NuCaptcha

NuCAPTCHA Security Challenge showing letters XYT, a text field to type these letters, reset, help and audio version buttons.

NuCaptcha uses moving letters rather than distortion to evade robots. Its characters are much clearer and the audio alternative is both keyboard-accessible and easier to decipher. However, text motion cannot be paused which can be problematic for people with some cognitive disorders.

visualCaptcha

visualCaptcha tests the human capacity for logical thought. To pass, users must select a common object from a line-up of other objects, as shown below.

Users are asked to find and then click or touch the umbrella icon. There are reset and audio version buttons.

For vision impaired users a clear audio alternative also favours logical thought process. Rather than deciphering garbled sounds users answer a simple question, for example “what is the first letter of the alphabet?” or “what is twelve times two?”

In the current version selection requires use of a mouse on a desktop computer or touch on a portable device such as a tablet or smartphone. But you can’t use this CAPTCHA if you rely on a keyboard. Even the ‘play’ audio button is not keyboard accessible, therefore visualCaptcha can’t be used by people who are blind or some people with mobility impairment.

 

''

FunCaptcha

I couldn’t leave this story without touching on a new CAPTCHA craze… FunCaptcha. Yes, traditional CAPTCHAs can be a bit boring, so why not substitute it for a game? Users verify their humanness by moving or clicking images in response to a visual cue. For example:

 

FunCAPTCHA example. To complete the test “Move the woman into the middle” users must select the correct picture and move it.

Whilst some may consider FunCaptcha to be more entertaining, this gaming interface can be difficult or impossible for people with vision or mobility impairment.

Accessible alternative CAPTCHAs

Visual recognition is one way to separate human from machine, but it’s not the only way. Humans can think and make logical decisions, and some website security elements use these traits to separate man from machine.

Text CAPTCHA

Need logical questions and answers? Text CAPTCHA is a web service to generate textual CAPTCHAs based on simple logic questions. It has over 180 million questions in its database including:

  • Which digit is seventh in the number 8344012?
  • Which of elbow, monkey, Robert or rain jacket is a person's name?
  • What is seventy two thousand two hundred and ninety nine as a number?
  • The third letter in "stimulating" is?

These questions are designed for the intelligence of a seven-year-old child. The biggest problem with logic questions is that they’re specific to a language, usually English.

Use this web service to generate your own text-based CAPTCHAs (requires registration).

Text CAPTCHA examples:

ActsAsTextcaptcha provides spam protection using logic questions from the Text CAPTCHA web service. This Text CAPTCHA uses plain text rather than an image, and relies on logical thought to answer a simple question. It is fully accessible.

Quick spam check to prove you’re a human (you have 2 minutes to answer). The brown dress is what colour?

Like ActsasTextcaptcha, Finmod asks a logical question in plain text. For example:

Monday, Tuesday, Wednesday, Thursday. What comes next? Required.

Other website security options

CAPTCHA is not the only website security solution.

Phone, text and email verification

Email verification, where you acknowledge receipt of an email is a common authentication technique that can be very accessible. Another way is telephone or SMS authentication.

My bank asks me to confirm online payments by SMS. Before authorising online bill payment:

  • The bank sends a text message to my mobile phone with a ‘pass code’.
  • I authenticate myself by correctly entering this code into my bill payment screen.

Security form: The SMS may take a few minutes to arrive, depending on your phone network. Type the generated code into the text field.

Similarly, by providing their phone number Microsoft users can verify themselves over the phone, or by SMS. 

Users provide their phone number and choose ‘send text message’ or ‘call me’.

A restriction of these approaches is the assumption that all users will have a mobile phone.

Honey pots

It’s argued that the best type of security for your website is one that your visitors don’t even notice. Enter the honey pot, a kind of reverse CAPTCHA.

 

Sticky honey in a lidless jar.

Honey pots are hidden fields that bots can see but humans can’t. They trap bots like flies by having them complete form fields.

If data is inserted into this “honey pot,” the website administrator could be certain that it was not done by a genuine user.

Unfortunately screen readers can see them too and may become trapped. A workaround is to include a warning in the form label such as “Leave this field blank” but this can still be confusing.

Read about Project Honey Pot.

A final word

There are perfectly accessible alternatives to visual CAPTCHA that deliver inclusive experiences without compromising website security.

However, if you cannot avoid visual CAPTCHA:

  • Clearly define the purpose of the image for screen reader users.
  • Opt for numbers rather than letters – they’re usually more readable.
  • Provide an audio alternative that is keyboard-accessible and readily discernible.
  • HELP! If a user fails the CAPTCHA, include a helpful, accessible error message with contact details for assistance. 

The author, Gerry Neustatl is a digital accessibility consultant for Digital Access at Vision Australia. 

 

Image
Captcha example

Leave us your thoughts