How do we deal with a CAPTCHA: Making authentication accessible for everyone.

23/05/2017


Introduction

CAPTCHA (completely automated public Turing test to tell computers and humans apart), is used to authenticate genuine users from others who have NOT SO GOOD intentions. The process of authenticating a person online need not rely on CAPTCHA though, as other methods of authentication can be used when proving yourself online. The problem with CAPTCHA is that it causes difficulties when users of assistive technology try to use it, and in the most inaccessible versions, can prevent users from completing the verification process. What follows is an example of the barriers faced by users of assistive technology when they encounter a CAPTCHA, and some alternatives to consider when implementing security on a website.


The need for authentication and the need for accessibility

Authentication of a user, and having secure channels when submitting a form is crucial when browsing the web. Not only for the use of contact forms when identifying real users from spam, but also for secure online transactions or account creation. When using assistive technology though, an added problem occurs; the one of accessibility to the CAPTCHA. There are many different methods of CAPTCHA from different organisations, and assistive technology can be affected depending on the type of CAPTCHA being used. It’s also important to point out that CAPTCHA can be displayed differently depending on the operating system (OS) being used, such as Windows verses Mac or iOS.


If completing an audio CAPTCHA on Windows for example, the ‘play’ button for the audio would do as expected assuming that all is working as it should be. On iOS however, the audio CAPTCHA prompts users to download an MP3 file meaning that users will have to remember the content of the audio, and switch to the required form to input the content to pass verification. While some audio is accessible though, a problem can occur if the files are heavily processed because it is difficult to pick out the correct letters or numbers if the audio is heavily distorted. While this is done to prevent bots from interpreting the information, an additional barrier is identified if users are not able to interpret the content clearly.


Image CAPTCHA which require users to select specific images and not others may work for users who have good vision, but will prevent users who have little or no vision from completing the verification process. A CAPTCHA which requires users to make a maths calculation, or select the correct response to a question will work for some users, but may cause problems for users who have a learning difficulty.


Implementing an accessible alternative will not only maintain security, but will also ensure that users of assistive technology are not excluded from the verification process. Some good alternatives such as ticking a box to indicate that it is a human and not a robot completing the form is one option. Another alternative would be to implement honeypot, which has a hidden form field which if filled in, will stop the submission. As long as the field is clearly labelled to warn screen reader users that it should not be filled in, this is a suitable alternative. While other methods of biometric authentication are being explored, one of the best methods would be 2-factor authentication, where the user enters an email address or mobile number, and receives a code to enter in to the form to verify their information. Each method has good and bad points, such as the 2-factor method would require the user to have immediate access to their email account or good phone signal.


Further information

For more information about good CAPTCHA and some alternatives, check out: Some CAPTCHA alternatives (external link.)