How many expletives have been uttered as a frustrated user attempted to correctly solve a Captcha? What’s a CAPTCHA? The group of jumbled letters or obscure pictures, usually at the end of a form on a webpage, that confirms that you are not a robot. Now, imagine trying to complete that same CAPTCHA without sight? It would be virtually impossible, but this is a reality for over 253 million people who have visual impairments.

History of the CAPTCHA

 CAPTCHAs or “Completely Automated Public Turing test to tell Computers and Humans Apart” were designed as an anti-spam verification process back 1997 when a team of AltaVista developers (AltaVista was a search engine that existed long before Google) needed to find a way to prohibit web bots from automatically adding URLs to the then most popular search engine. Their solution was to build puzzles or images that would prevent optical character recognition* (OCR) attacks. (Note: OCR are the mechanical or electronic translation of scanned images, typewritten or printed text into a machine-encoded text.)

Where are CAPTCHAs Located?

There are many practical areas that CAPTCHA implementation can be found, most often on forms that require secure information. However, occasionally this technical implementation can be found on a login screen or a registration to receive a login, which is problematic for both the website owner as well as the user.

CAPTCHAs and Digital Accessibility

Because CAPTCHAs are primarily visually based, web users that are blind or visually impaired are often unable to access the resource that is being protected because their screen reader technology is unable to comprehend and translate the information. According to an October 2017 screen reader user survey by WebAIM (refer to graph below), CAPTCHAs are the most problematic item that users of the assistive technology (AT) encountered when attempting to access a website.

Image Source: WebAim Screen Reader User Survey #7

Enter the NoCAPTCHA/reCAPTCHA

As technology improved, bots and programs became more efficient, which meant that it became increasingly easier for programs to guess the text, audio, or images associated with a CAPTCHA. To combat these more efficient bots, CAPTCHAs became more difficult for users due to the implementation of distortions/deformations in the images and audio files.

In 2007, the reCAPTCHA was created by a group of developers at Carnegie Mellon University. The reCAPTCHA was similar to CAPTCHA because users still had to type the letters/numbers that displayed, however, instead of random words or letters, users had to decipher images of real words and numbers from archived text (initially the archives of The New York Times). Because computers have a challenging time translating text from damaged documents or smeared ink and humans can still read those words, the reCAPTCHA was more efficient and became more prevalent across the web.

In 2014, after Google had acquired the reCAPTCHA technology (2009), an analyst for the tech giant discovered that artificial intelligence (AI) could solve the most complex CAPTCHA/reCAPTCHAs with over 99% accuracy. This meant that it was almost pointless to have a reCAPTCHA on a webpage.

To fight this new AI-capable cracking, Google released its “NoCAPTCHA reCAPTCHA” technology, that not only requires users to decode text, but also analyzes their digital behavior, using an algorithm that monitors their interaction with content (such as mouse pointer movement, screen reader resolution, and the time taken to complete a form) to determine if they are a robot, before reaching the security checkpoint. Once the user reaches the checkpoint, they must then confirm the statement: “I am not a robot.”

Image Source: Google

At this point, you’re probably thinking, finally a solution.  Not quite.

While the No CAPTCHA is more efficient than previous forms of anti-bot security measures, it is still not a satisfactory accessible solution, particularly for users who solely use the keyboard (no mouse) or screen readers, because their digital behavior varies from the standard user, this causes the technology to flag for potential spam tendency. In cases of doubt of humanity, the technology will either force you to identify an item in a photo array or display a standard CAPTCHA, which creates a barrier for users with disabilities.

Is there an Accessible CAPTCHA Solution?

Thankfully, a CAPTCHA does not need to be visually based, so that the information can be available to all.  There are many alternatives to CAPTCHAs. Listed below are a small number of the potential ‘solutions’ to combat spambots, that are primarily accessible, however, each solution has its pros and cons.

Short Question

You may have seen security questions that ask you to solve a mathematical problem. For example.  2+2=

You may have also seen short word questions like the American Foundation for the Blind uses, seen in the example below.

Example: Please type “hello” here

OR:

Please put type the word horse in the box

These solutions would be great, but some users have low mathematical or literacy skills, particularly those with cognitive disabilities and in some case, those who use screen readers, and may have difficulty spelling and are unaware of how to have their screen readers provide them with those details. Users whose primary language is not English may also have similar difficulties.

The HoneyPot Solution

Another potential solution to CAPTCHA accessibility is the Honeypot Method. Honeypots are pieces of code, normally a field, that are invisible to the humans that bots recognize as a legitimate field to complete. If the field is completed the form is rejected.

The downside to this method is if a user has any auto-fill capabilities enabled on their systems, that they may complete the invisible field and be flagged as spam.

Verified Sign-in Method

Identifying if website users are human can also be done by requiring them to sign in with a verified account such as with LinkedIn, Facebook, Twitter, or any other social media.

Image Source: Gigya

The primary and obvious issue with this solution is not all users have the social media accounts that can be required. Another issue may be privacy concerns, as the users may not wish to login with their social accounts to a website that they don’t have an established relationship with.

What Should a Business Do?

CAPTCHAs are a problematic web accessibility issue, but currently, every solution has its own set of problems. At the time of this article, the perfect solution seems to be not just one solution but a combination of some of the alternative anti-bot methods.  Most spammers seem to target major websites, so if you are a smaller site, perhaps just one solution will work. Determining the appropriate solution for your website begins with your need for a security measure. Talk to your team and feel free to contact us, at Adot Labs with any questions you may have.

For additional information regarding website accessibility, visit our learning center.

Sources:

1.       World Health Organization (WHO): Blindness and Visual Impairment (October 11, 2017); http://www.who.int/news-room/fact-sheets/detail/blindness-and-visual-impairment

2.       WebAIM: Screen Reader User Survey #7 Results (October 2017); https://webaim.org/projects/screenreadersurvey7/

3.       Google: reCAPTCHA: Easy on Humans, Hard on Bots; https://www.google.com/recaptcha/intro/v3beta.html

4.       Google Security: Are You a Robot? Introducing “No CAPTCHA reCAPCHA” (December 3, 2014); https://security.googleblog.com/2014/12/are-you-robot-introducing-no-captcha.html

5.       American Foundation for the Blind (AFB): Can CAPTCHAs Be Made Accessible (August 21, 2014); https://www.afb.org/blog/afb-blog/can-captchas-be-made-accessible/12