CAPTCHA: Inaccessible to Everyone

Gian Wild
Share

What’s a CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

On the webpage, a CAPTCHA is a security measure designed to keep out robots by asking the user to key in characters displayed in a box.

Yes, that’s the one: where you have to decipher some squiggly words and enter them in a field before you can submit an online form.And often do it three or four times before you’re successful.

For example:

CAPTCHAs

For more information on definitions, see the comprehensive Wikipedia article on CAPTCHAs.

As far as the real world goes, there are some real doozies out there, like the moving CAPTCHA we found recently in an audit (we’re rebuilding the site so it won’t be there long!)

John Foliot found some inexpressibly confusing CAPTCHAs, an article which is worth a read – please note there is a lot of movement in the article (and no it doesn’t fail the flickering accessibility requirements even if it looks like it)!

Why are there so many CAPTCHAs?

Really, the world would be a much easier place without CAPTCHAs. They are confusing and difficult and we are all time-poor. And surely people want us to use their web site / submit their form / sign up to their newsletter?

The reason that there are so many CAPTCHAs is that there is so much spam in the world. They are perceived as an effective way to prevent robots from, for example, posting comment spam on blogs.

Another common use is to prevent robots with more criminal intent from logging into online bank accounts and the like.

The CAPTCHA is, in reality, a reverse Turing test – performed by a machine to make sure the person filling out the form is, well, a person.

This is also why they are often difficult to interpret. If they were easy to read, then machines could read them, and that would defeat the point.

What about accessibility?

Not only are CAPTCHAs difficult for anyone to use, they are notoriously inaccessible to people with some types of disabilities.

In fulfilling their designated brief of keeping out machines, they keep out people using assistive technologies such as screen readers, thereby closing the door on millions of blind people. So, if you’re blind, use a screen reader and want to log into your CAPTCHA-protected bank account, well … bad luck. Isn’t there a law against that? There ought to be.

There is even a specific section in the Web Content Accessibility Guidelines, Version 2.0 about CAPTCHA, in which their inaccessibility is acknowledged, but the WCAG Working Group feel they can’t be too hard-line about it:

CAPTCHAs are a controversial topic in the accessibility community. As is described in the paper Inaccessibility of CAPTCHA, CAPTCHAs intrinsically push the edges of human abilities in an attempt to defeat automated processes. Every type of CAPTCHA will be unsolvable by users with certain disabilities. However, they are widely used, and the Web Content Accessibility Guidelines Working Group believes that if CAPTCHAs were forbidden outright, Web sites would choose not to conform to WCAG rather than abandon CAPTCHA. This would create barriers for a great many more users with disabilities. For this reason the Working Group has chosen to structure the requirement about CAPTCHA in a way that meets the needs of most people with disabilities, yet is also considered adoptable by sites. Requiring two different forms of CAPTCHA on a given site ensures that most people with disabilities will find a form they can use.

Because some users with disabilities will still not be able to access sites that meet the minimum requirements, the Working Group provides recommendations for additional steps. Organizations motivated to conform to WCAG should be aware of the importance of this topic and should go as far beyond the minimum requirements of the guidelines as possible. Additional recommended steps include:

  1. Providing more than two modalities of CAPTCHAs
  2. Providing access to a human customer service representative who can bypass CAPTCHA
  3. Not requiring CAPTCHAs for authorized users”

https://www.w3.org/TR/UNDERSTANDING-WCAG20/text-equiv-all.html

The emphasis in the above quote is mine. When they talk about “two different forms of CAPTCHA”, they mean one that requires sight to complete plus one that relies on audio and should therefore be accessible to people with impaired vision. They then acknowledge that still won’t make it accessible to everyone.

In reality, the ones that rely on vision are so difficult to use for fully sighted people, while the audio versions use sounds so distorted that no-one can make them out.

So basically they are inaccessible, but the Working Group decided that if people had to choose between CAPTCHAs and WCAG2 they would choose CAPTCHAs, so they allowed for it anyway.

I believe there are some effective unique and most importantly, accessible, alternatives to CAPTCHA, but I’ll talk about that in a later article.

What about reCAPTCHA – it’s accessible isn’t it?

In a word, no.

recaptcha

I’m always asked about reCAPTCHA, or what about Accessible CAPTCHA? I have tested numerous CAPTCHAs and I have never come across an accessible CAPTCHA. Feel free to prove me wrong.

But I am also yet to find a CAPTCHA that complies to WCAG2 either.

There is a fundamental disconnect in intent that means it is highly unlikely that a universally accessible CAPTCHA, or even a set of different CAPTCHAs will ever be devised.

CAPTCHAs are, by definition, exclusive: they are are there to keep baddies out. Their way of testing “badness” does not allow for the legitimate use of machines. So they will tend to be inaccessible.

To understand how this becomes a negative spiral, you only have to look at the Google Account Sign Up process. In order to make it “accessible”, Google provide an audio version. A group of hackers was able to prove that it could pass the audio test robotically (read more about it in the article Google recaptcha brought to its knees).

Did Google concede the CAPTCHA was a failure and should be replaced by something more accessible? Not a bit of it. Instead, they made the audio more distorted so that a machione couldn’t possibly interpret it correctly – and nor could any human. Seriously. Try the Google CAPTCHA yourself.

One of the hackers pinpointed out the problem:

While the changes stymied the Stiltwalker attack, Adam said his own experience using the new audio tests leaves him unconvinced that they are a true improvement over the old system.

“I could only get about one of three right,” he said. “Their Turing test isn’t all that effective if it thinks I’m a robot.”

Couldn’t have said it better myself.

In my next article, I’ll explore how to replace CAPTCHAs with accessible options, while maintaining security and preventing spam.