CAPTCHA: Inaccessible to Everyone

Share this article

What’s a CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. On the webpage, a CAPTCHA is a security measure designed to keep out robots by asking the user to key in characters displayed in a box. Yes, that’s the one: where you have to decipher some squiggly words and enter them in a field before you can submit an online form.And often do it three or four times before you’re successful. For example: CAPTCHAs For more information on definitions, see the comprehensive Wikipedia article on CAPTCHAs. As far as the real world goes, there are some real doozies out there, like the moving CAPTCHA we found recently in an audit (we’re rebuilding the site so it won’t be there long!) John Foliot found some inexpressibly confusing CAPTCHAs, an article which is worth a read – please note there is a lot of movement in the article (and no it doesn’t fail the flickering accessibility requirements even if it looks like it)!

Why are there so many CAPTCHAs?

Really, the world would be a much easier place without CAPTCHAs. They are confusing and difficult and we are all time-poor. And surely people want us to use their web site / submit their form / sign up to their newsletter? The reason that there are so many CAPTCHAs is that there is so much spam in the world. They are perceived as an effective way to prevent robots from, for example, posting comment spam on blogs. Another common use is to prevent robots with more criminal intent from logging into online bank accounts and the like. The CAPTCHA is, in reality, a reverse Turing test – performed by a machine to make sure the person filling out the form is, well, a person. This is also why they are often difficult to interpret. If they were easy to read, then machines could read them, and that would defeat the point.

What about accessibility?

Not only are CAPTCHAs difficult for anyone to use, they are notoriously inaccessible to people with some types of disabilities. In fulfilling their designated brief of keeping out machines, they keep out people using assistive technologies such as screen readers, thereby closing the door on millions of blind people. So, if you’re blind, use a screen reader and want to log into your CAPTCHA-protected bank account, well … bad luck. Isn’t there a law against that? There ought to be. There is even a specific section in the Web Content Accessibility Guidelines, Version 2.0 about CAPTCHA, in which their inaccessibility is acknowledged, but the WCAG Working Group feel they can’t be too hard-line about it:
CAPTCHAs are a controversial topic in the accessibility community. As is described in the paper Inaccessibility of CAPTCHA, CAPTCHAs intrinsically push the edges of human abilities in an attempt to defeat automated processes. Every type of CAPTCHA will be unsolvable by users with certain disabilities. However, they are widely used, and the Web Content Accessibility Guidelines Working Group believes that if CAPTCHAs were forbidden outright, Web sites would choose not to conform to WCAG rather than abandon CAPTCHA. This would create barriers for a great many more users with disabilities. For this reason the Working Group has chosen to structure the requirement about CAPTCHA in a way that meets the needs of most people with disabilities, yet is also considered adoptable by sites. Requiring two different forms of CAPTCHA on a given site ensures that most people with disabilities will find a form they can use. Because some users with disabilities will still not be able to access sites that meet the minimum requirements, the Working Group provides recommendations for additional steps. Organizations motivated to conform to WCAG should be aware of the importance of this topic and should go as far beyond the minimum requirements of the guidelines as possible. Additional recommended steps include:
  1. Providing more than two modalities of CAPTCHAs
  2. Providing access to a human customer service representative who can bypass CAPTCHA
  3. Not requiring CAPTCHAs for authorized users”

https://www.w3.org/TR/UNDERSTANDING-WCAG20/text-equiv-all.html

The emphasis in the above quote is mine. When they talk about “two different forms of CAPTCHA”, they mean one that requires sight to complete plus one that relies on audio and should therefore be accessible to people with impaired vision. They then acknowledge that still won’t make it accessible to everyone.

In reality, the ones that rely on vision are so difficult to use for fully sighted people, while the audio versions use sounds so distorted that no-one can make them out.

So basically they are inaccessible, but the Working Group decided that if people had to choose between CAPTCHAs and WCAG2 they would choose CAPTCHAs, so they allowed for it anyway. I believe there are some effective unique and most importantly, accessible, alternatives to CAPTCHA, but I’ll talk about that in a later article.

What about reCAPTCHA – it’s accessible isn’t it?

In a word, no. recaptcha I’m always asked about reCAPTCHA, or what about Accessible CAPTCHA? I have tested numerous CAPTCHAs and I have never come across an accessible CAPTCHA. Feel free to prove me wrong. But I am also yet to find a CAPTCHA that complies to WCAG2 either. There is a fundamental disconnect in intent that means it is highly unlikely that a universally accessible CAPTCHA, or even a set of different CAPTCHAs will ever be devised. CAPTCHAs are, by definition, exclusive: they are are there to keep baddies out. Their way of testing “badness” does not allow for the legitimate use of machines. So they will tend to be inaccessible. To understand how this becomes a negative spiral, you only have to look at the Google Account Sign Up process. In order to make it “accessible”, Google provide an audio version. A group of hackers was able to prove that it could pass the audio test robotically (read more about it in the article Google recaptcha brought to its knees
). Did Google concede the CAPTCHA was a failure and should be replaced by something more accessible? Not a bit of it. Instead, they made the audio more distorted so that a machione couldn’t possibly interpret it correctly – and nor could any human. Seriously. Try the Google CAPTCHA yourself. One of the hackers pinpointed out the problem:
While the changes stymied the Stiltwalker attack, Adam said his own experience using the new audio tests leaves him unconvinced that they are a true improvement over the old system. “I could only get about one of three right,” he said. “Their Turing test isn’t all that effective if it thinks I’m a robot.”
Couldn’t have said it better myself. In my next article, I’ll explore how to replace CAPTCHAs with accessible options, while maintaining security and preventing spam.

Frequently Asked Questions about CAPTCHA Accessibility

Why are CAPTCHAs often difficult to read?

CAPTCHAs are intentionally designed to be difficult for machines to read, in order to prevent automated bots from spamming or abusing online services. They often use distorted text, overlapping characters, and complex backgrounds to achieve this. However, this can also make them challenging for humans, particularly those with visual impairments or dyslexia.

What are some alternatives to traditional CAPTCHAs?

There are several alternatives to traditional CAPTCHAs that can be more accessible. These include audio CAPTCHAs, which read out a series of numbers or letters, and logic-based CAPTCHAs, which ask the user to solve a simple problem or question. There are also image-based CAPTCHAs, where users are asked to identify certain objects or patterns in a picture.

How can I make my website’s CAPTCHA more accessible?

There are several ways to make your website’s CAPTCHA more accessible. One option is to offer an audio CAPTCHA alongside the visual one. You could also consider using a logic-based CAPTCHA, or implementing a system that only presents a CAPTCHA after several failed login attempts. It’s also important to ensure that your CAPTCHA is compatible with screen readers and other assistive technologies.

Why are CAPTCHAs important for website security?

CAPTCHAs are a crucial tool in preventing automated bots from abusing online services. Bots can be used for a range of malicious activities, from spamming comment sections to brute force login attempts. By requiring users to complete a task that’s difficult for machines, CAPTCHAs can help to ensure that only humans are able to access certain features or areas of a website.

Are CAPTCHAs discriminatory towards visually impaired users?

Traditional CAPTCHAs can be challenging for visually impaired users, as they often rely on the ability to decipher distorted text or images. However, there are alternatives available, such as audio CAPTCHAs, which can be more accessible. It’s important for website owners to consider accessibility when implementing CAPTCHAs, and to offer alternatives where possible.

Can CAPTCHAs be bypassed by bots?

While CAPTCHAs are designed to be difficult for machines to solve, they are not foolproof. Advanced bots and AI systems can sometimes bypass them, particularly if they are poorly designed or implemented. However, they still provide a significant barrier to automated abuse, and are an important part of a multi-layered security strategy.

Are CAPTCHAs a form of user verification?

Yes, CAPTCHAs are a form of user verification. They are designed to confirm that a user is human, and not a bot. However, they do not provide any information about the identity of the user, and should not be used as a sole method of authentication.

Can CAPTCHAs affect user experience?

Yes, CAPTCHAs can affect user experience. If they are too difficult to solve, or if they are not accessible to all users, they can create frustration and potentially deter users from using a service. It’s important to balance the need for security with the need for a smooth and accessible user experience.

What is the future of CAPTCHAs?

The future of CAPTCHAs is likely to involve more sophisticated and accessible methods of distinguishing humans from bots. This could include biometric verification, behavioral analysis, and machine learning algorithms. However, the fundamental principle of CAPTCHAs – requiring a task that’s easy for humans but difficult for machines – is likely to remain the same.

Are CAPTCHAs necessary for all websites?

Not all websites need to use CAPTCHAs. They are most useful for sites that are at risk of automated abuse, such as those with comment sections, login forms, or online voting systems. If your website does not have these features, or if you have other effective security measures in place, a CAPTCHA may not be necessary.

Gian WildGian Wild
View Author

Gian Wild has been working in accessibility since 1998. She worked on the very first Australian accessible web site and was the accessibility consultant for the Melbourne 2006 Commonwealth Games. For six years she was actively involved in the W3C Web Content Accessibility Guidelines Working Group. Gian Wild is the Director of AccessibilityOz.

Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form