The Problems With CAPTCHAs
In the ever expanding need to fight spambots, autobots, and other evildoers on the web, there has been an uptick of CAPTCHAs roaming around the web. We all know what they are: those annoying “type the letters you see in the image below” boxes that seem to block every online form today.
Now here’s the key word: see. Type the letters you “see” in the image below. But what if users are blind and can’t “see?” What if blind users use computers to “see”? This CAPTCHA system effectively falls apart for these users, since the very purpose of CAPTCHAs are to ensure that computers cannot “see” the images.
But what about security? CAPTCHAs may not provide as much protection as you might believe, leading to a false sense of security, which can lead to sloppier security practices overall. A good example of this is the fact that humans can be hired to solve CAPTCHAs for as low as $0.80 per 1,000 CAPTCHAs. AI is also constantly improving, making protecting your site with a CAPTCHA a losing battle.
It’s also important to consider the impact on your users or customers. Studies have shown that the percentage of users who abandon the CAPTCHA process can easily reach double digits. (https://bit.ly/2ZoNyg5)
There are some CAPTCHAs that have audio CAPTCHA components. There are two problems with this approach:
- This is still inaccessible to users who can neither see nor hear (deafblind).
- Often, it’s hard for a user to hear the screen reader and the audio CAPTCHA at the same time.
Also, although this is technically “accessible” to blind hearing users, as they can bypass it, it can still take them 2 or 3 attempts to bypass the CAPTCHA, similar to a sighted user. And it’s not making the experience any easier for anyone. In short, CAPTCHAs are not doing your site any favors, whether in the realm of security or accessibility.
However, if you really wish to continue using a CAPTCHA service, there are some ways of doing it correctly from an accessibility standpoint. Google seems to be the leader in this area, with their reCAPTCHA service. They have made CAPTCHAs that are passable by “almost” anyone.
A few years ago, Google’s reCAPTCHA v2 was released, bringing some significant accessibility enhancements to the world of CAPTCHAs. The biggest one is that it tries to be smarter about figuring out whether or not you are human, and if it believes you probably are, then it often will simply ask you to check a checkbox. If it is unable to figure out if you are human, then you will get a traditional CAPTCHA prompt, with an audio alternative which uses relatively understandable audio samples.
In late 2018, Google released reCAPTCHA v3. In this version, Google designed an API that allows website owners to integrate a test-free challenge on each page of their website. When integrated, reCAPTCHA v3 works in the background and assesses the interactions with each page, returns a score based on this interaction, and allows website owners to take action based on this score.
While reCaptcha v3 certainly is a nice feature, it still has some significant pitfalls. For example:
- There are still a handful of small accessibility issues with the badge that Google gi0ves you to put on your website.
- Users who have usage patterns that are flagged by algorithms as unusual (for example, those who do not fill out the subject line, or screen reader users who navigate in certain ways) may still get flagged as bots, and then there are no alternatives.
For these reasons, we’d suggest that you not use CAPTCHAs on your website. They prevent many genuine users from using your site, turn away other users who could use CAPTCHAs but choose not to, and do not do a sufficient job of stopping today’s hackers.