Best CAPTCHAs for Accessibility
By Eva Schiller
August 3, 2022
When bots try to invade online spaces, CAPTCHA is often the first line of defense. Despite their widespread use, many CAPTCHAs act as huge barriers to online accessibility. As such, online platforms must make thoughtful choices when implementing bot-prevention technology. Otherwise, they run the risk of inadvertently blocking real, human users as well.
What is CAPTCHA?
CAPTCHA is short for Completely Automated Public Turing tests to tell Computers and Humans Apart. It is a tool allowing websites to distinguish between bots and humans. It is often used to prevent bots from infiltrating forms, comment sections, and chat rooms, thus improving security, suppressing spam, and protecting user information.
CAPTCHA typically prompts the user to complete a puzzle. Some classic challenges include identifying a warped sequence of letters or selecting which images from a collection contain some item. The tasks are designed to require human insight, so most bots will answer incorrectly and get intercepted.
What factors make CAPTCHA inaccessible?
Accessibility is too often ignored in our online world. As such, it is crucial for websites to stay vigilant about features that may serve as a barrier to potential users. CAPTCHAs are no exception, with numerous factors contributing to their frequent lack of accessibility.
One major concern is whether the required tasks are compatible with common disabilities. Depending on the ‘human’ skill required to answer the prompt, those with visual, auditory, or cognitive impairments may find it downright impossible. Another common barrier is whether tasks can be completed via keyboard. This consideration is crucial for users with mobility-related challenges, who cannot use a mouse or trackpad. Other considerations include language barriers for non-English speakers, as well as limiting time constraints
Ranking CAPTCHAs from least to most accessible
While no CAPTCHA is perfect, some are certainly better for accessibility online. Below, available CAPTCHAs and bot-preventing alternatives are ordered from least to most accessible, based on how they handle the barriers to accessibility listed above.
3. reCAPTCHA v2
reCAPTCHA v2 is a service offered by Google. With millions of uses worldwide, it is the most common version of CAPTCHA. Developed in 2014, this software prompts users to check a box indicating that they are not a robot. It then checks if the movements used to do so are natural and combines this metric with information gathered from Google cookies about the user’s browser activity. If a user is deemed safe, they are finished. If they are deemed suspicious– perhaps by rejecting cookies or using a non-Chrome browser– reCAPTCHA v2 will follow up with a visual or audio challenge.
This version of CAPTCHA falls in last place for accessibility. It penalizes those who do not want cookies or prefer to use a non-Chrome browser, prompting them to take more difficult tests that serve as a barrier to entry. If users have disabilities like blindness or dyslexia, the additional challenges block them from accessing the sites altogether. reCAPTCHA v2 also poses a problem to users with mobility challenges since the pop-up displaying these puzzles has poor keyboard functionality.
hCaptcha is a slightly better option for accessibility. Much like reCAPTCHA v2, it prompts the user to click a checkbox, checks for natural movements then provides further visual puzzles if needed. However, unlike reCAPTCHA v2, hCaptcha has an added Accessibility option. Those who find the visual puzzle difficult can opt to sign up for hCaptcha as an accessibility user. They enter their email address to receive an encrypted cookie that bypasses the CAPTCHA test. After 24 hours, however, the cookie expires, and the user must sign in again to regain access.
Ideally, a good CAPTCHA will remain accessible to all human users while retaining its primary benefits of privacy and security. This option is innovative in allowing users with disabilities to bypass the puzzles completely. However, it does compromise user privacy, as Accessibility Users must give up their emails just to access sites.
1. reCAPTCHA v3
reCAPTCHA v3, released by Google in 2018, does not interact with users at all. It monitors the user’s behavior in the background as they browse the site. Each time they make a request, the software scores it for suspiciousness and reports that value to the programmer. It is then up to the company to determine the threshold for action, and what steps should be taken. For example, multi-factor identification or additional CAPTCHA tests might be used as a fallback.
At first glance, this version of reCAPTCHA seems like the ideal solution. Since the whole process occurs behind the scenes, users with disabilities are at no disadvantage. However, this simplicity comes at a cost. Since reCAPTCHA v3 only gives a numerical result, the developer must choose a course of action themselves in the case of ambiguous users. The challenge of accessibility was not solved; it was only shifted to a new programmer. Thus, even this version may again lead back to more traditional CAPTCHA tests.
In recent years, innovative alternatives to CAPTCHA have emerged. One alternative is anti-spam honeypots. As the name suggests, a honeypot is a field that is hidden from human users. This may be done by positioning it off-screen or coloring the font the same as the form background. Since a bot will not know about the hidden field, it will reveal itself as non-human by filling out the field and ‘failing’ the test. However, this solution may pose a challenge to humans using screen readers, as they too will not know the field is a trap.
Another alternative is biometric security, where physical features like fingerprints, faces, and irises are used to verify that a user is human. Of course, even this solution is imperfect for accessibility, as it causes obvious problems for individuals who do not possess the required physical features. More concerningly, it collects a dangerous amount of information from users. Biometric data is intrinsic to its owner and cannot be changed or reset if stolen. Using it in any capacity should not be taken lightly.
As artificial intelligence advances, the ability of malicious bots to pass as humans has only grown stronger. Creating a challenge that all humans pass and all bots fail is more important and more difficult than ever. From reCAPTCHA v2 to honeypots, no existing form of CAPTCHA is perfectly accessible. However, there are still ways to protect your online platform from bots without keeping out real people.
Secure login is perhaps the most accessible way to distinguish between humans and bot. Rather intuitively, robust authentication systems are inherently bot resistant. For instance, Multi-Factor Authentication (MFA) options such as DUO make it much harder for bots to successfully create or enter accounts. Further, they do not require users to complete puzzles and challenges.
Certain types of Single Sign-On (SSO) are also highly effective. For example, humanID is an identity provider with an SSO that uses phone numbers as authentication, rather than CAPTCHA. Thus, users cannot create an account without using their unique number. Due to the high cost and difficulty of creating burner numbers, sites using SSOs such as humanID are far less likely to be infiltrated by non-human accounts.
By partnering with an SSO option like humanID, online platforms can skip CAPTCHA and its many challenges to accessibility while still effectively keeping out bot accounts. Moreover, humanID protects user privacy in more ways than just bot prevention: since no user data is saved permanently, customer information is safe no matter what. Accessibility and user privacy don’t need to be opposing forces– why choose when we can have both?