Captcha Alternatives and thoughts

From WCAG WG

Status: This is an old page that is not currently being updated. More recent information is available in:

Inaccessibility of CAPTCHA - Alternatives to Visual Turing Tests on the Web 

CAPTCHA

A CAPTCHA (Completely Automated Public Turing Tests to Tell Computers and Humans Apart) is a feature/tool to ensure that user input has not been generated by a computer. The problem with CAPTCHAs is that they are not accessible to all types of users, which mean that some users will not be able to complete the form on the website. For example, an image-based CAPTCHA can be very difficult or impossible to complete for users who are blind or have low-vision. The table below summarizes the advantages and disadvantages for specific types of CAPTCHA.

CAPTCHA Type Description Advantages Disadvantages
No CAPTCHA ReCaptcha Reboot In December 2014 Google replaced reCAPTCHA (distorted image-text or distorted audio) with a No CAPTCHA/ReCaptcha Reboot) (a simple tickbox for "I am not a robot".) Check Google's Announcement.
Demos for testing include: Patrick Lauke's test page and Alastair Campbell's test page.
Adrian Roselli provides a summary of testing completed in December 2014.


Terrill Thompson's Dec 2015 update: reCAPTCHA Accessibility reVISTED

Keyboard accessible, has appropriate ARIA attributes, doesn't fail keyboard only, works in Dragon.
Consult Derek Featherstone's review for more information.
Patrick Lauke's "Funky" test results: Win8.1, JAWS16, IE11, Win8.1, NVDA, Firefox and IE11, Win8.1, JAWS16, Firefox.

Marco Zehe's Post: Warum die Zugänglichkeit von Googles neuer RECAPTCHA-Version kompletter Bullshit ist
Sina Bahram's reviews: Accessibility of captcha and why Google or anybody else's method doesn't work!, December 2014. Here's what you hear if you are blind and using TOR with any service that uses Google's recaptcha, May 2015. (TOR is an online privacy tool.)
WebAIM Thread on reCAPTCHA replacement Bugs, WebAIM Thread on Accessible Captcha recommendations?, WebAIM Thread on NoCAPTCHA reCAPTCHA accessibility testing updates?

reCAPTCHA One of the most popular CAPTCHA currently used (ReCaptcha). It uses scanned text that optical character recognition (OCR) technology will fail to interpret. An audio CAPTCHA is provided with the visual CAPTCHA. Offers uses who are visually impaired an audio alternative The audio alternative is difficult to interpret. This poses a barrier for users with visual impairment as well as dyslexia and other cognitive impairments.

Takes a long time to complete and has low usability Not all users will recognize the English-language words used in the visual as well as in the audio versions David adds: It's not keyboard accessible. http://www.jimthatcher.com/captchas.htm In spring of 2014 I checked this and it was not fixed. Aurelien adds: it's can easily be customized to enable keyboard navigation see https://developers.google.com/recaptcha/docs/customization

CAPTCHA Bot Lanapsoft BotDetect CAPTCHA

Similar to reCAPTCHA in that it provides both audio and visual CAPTCHA.

Offers users who are visually impaired a usable audio alternative

Easier for low vision users to see Shows a set of letters as opposed to English words

May still be difficult to interpret by some users. May be harder to remember letters without context

Requires customization to move focus to the text entry box Error messages from the CAPTCHA require customization

Text CAPTCHA Logic Questions A generated textual CAPTCHA based on simple logic questions, designed for the intelligence of a seven-year-old child.

See examples for textCAPTCHA or Math Captcha

More accessible than text and image recognition May take users time to read and understand

Can be broken by computers The logical questions are language specific mainly in English

Image Recognition CAPTCHA Identify an object in an image No legibility issues

Doesn't need a specific language

Not accessible to users who are visually impaired or have visual agnosia

Does not improve usability Adding an alternative text will make the CAPTCHA breakable

Friends Recognition Based on social recognition. Users will be presented with pictures of their friends and will be asked to name the person in the photo - Social Authentication. Filters human hackers rather than machines People do not always remember names of distant friends or friends of their friends

Will it be accessible to users who are visually impaired, have visual agnosia or memory difficulties?

User Interaction Users are asked to perform a task while interacting with an application like sliding a cursor to the end of a line to submit a form The tasks are impossible for virtual intelligence Inaccessible to people with disabilities

May be breakable by a script

CAPTCHA 2010 by Solve Media,

replace text with an advertisement and a related question, a move that many saw as too invasive.

Solve Media

Solve Media claims its CAPTCHAs can be solved more quickly than others. Given that many global brands transcend a single language. There is potential here for marginal improvement. Inaccessible to people with disabilities

Alternative methods to perform human verification and establish identity

Most of the solutions mentioned above do not meet all of the requirements for an accessible and usable CAPTCHA. There are some alternative solutions for preventing spam are possible and available. Here are some of those solutions:

CAPTCHA Alternative Type Description Advantages Disadvantages
Automated and manual spam detection services Examples Akismet, SBlam! To be completed To be completed
Honeypot Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this “honeypot” field, the website administrator would know that the data was not entered by a "real" user. The honeypot method can be made more sophisticated by using JavaScript and data hashing. All abusive requests that are detected should be banned and the associated IP should be stored in a database for future detection. https://www.dexmedia.com/blog/honeypot-technique/ If there is proper labeling it can warn screen reader users not to fill it out If there is no warning using aria-label etc.. then it could trap a screen reader user who fills it out not knowing it is a trap. It is likely that spam bots could figure out any warning text for screen reader users.
Temporary tokens assign a temporary token to the users at the start of their sessions. The token will be associated with the submitted form. When the session is terminated, the token expires To be completed To be completed
Multi-factor authentication Mobile confirmation: Some of B2C Websites ask for the user to input their mobile number (usually the mobile number is also needed to confirm when users do initial registration) when they pay money or make a deal, the system sends a text message with a code to user's mobile device, user input the sending code to website just confirming he/she is really user also a human.

(Other kinds of Multi-factor Authentication to be added here)

If people who are blind people have a mobile with TTS, which most do, they are able to use this kind of Captcha, it is a accessible for people with disabilities. Requires mobile device and mobile signal
Sweet Captcha and playthough Matching categories by dragging and dropping. http://sweetcaptcha.com/ http://areyouahuman.com/how https://www.youtube.com/watch?v=LjB86MPHduk From their website "sweetCaptcha is a fresh, friendly, action-based CAPTCHA service that’s easy for you to add to your website and less frustrating for users to solve than difficult-to-decipher text-based CAPTCHAs" Not keyboard accessible which is a non starter for WCAG conformance, not serious enough, or secure enough for serious ventures. It would need work to make it accessible, keyboard functionality, alt text for the images. Would that invalidate it because it would be easier for bots?
Biometric security fingerprint, eye scan, face scan, etc... More and more of this is popping up. How it works is fairly self evident. exposure to theft of your bioprint. This is a scary type of identity theft, which can't be changed like a credit card number. Also, what if the user doesn't have the physical characteristic necessary. i.e., a veteran who has no hands for fingerprint, or a person with no eyes.
NuCaptcha Tracks your behaviour on the site, let's those that act like humans go through. http://www.nucaptcha.com/demo Interesting idea what if you are human who doesn't behave like other human beings? Users of AT often approach a site not like other users.
Confident Captcha Shows you several images, find the image of beverage, money, outer space, etc... Need to see the image. not good for those who are blind. Can't pass WCAG.
No Captcha Simplifies reCaptcha Doesn't look accessible to those who are blind are who have problems associating categories of things. Relies on seeing images

See also

Page created by David MacDonald and Kathy Wahlbin. Updates and additions by Laura Carlson and Michael Cooper.