CAPTCHA

Designing with CAPTCHA

Web sites use CAPTCHA to protect their mail systems from spam robots, presenting the user with a simple challenge that a robot would find difficult. The word is an initialism for "Completely Automated Public Turing test to tell Computers and Humans Apart".

smwm
This CAPTCHA of "smwm" obscures its message from computer interpretation by adding a slight background colour gradient and twisting the letters.

The primary barrier with any traditional CAPTCHA is that it serves a test to a single sense (sight or sound), which excludes people with related disabilities.

To make CAPTCHA as accessible as possible, WCAG 2.1 requires two Techniques and recommends some optional steps to reach the edge cases:

  • Provide two different modalities of CAPTCHA. For example, provide a visual task, such as typing words displayed in a image, and an audio task, such as typing letters spoken in an audio file
  • Provide alt text saying the CAPTCHA requires completing a task and what type of task it is; for instance, "Type the word in the image" or "Type the letters spoken in the audio". When an alternate version of a CAPTCHA is available, include instructions in the alt text on how to find it.
  • Optional steps:
    1. Provide more than two modalities of CAPTCHAs. For instance, a third test might be a logic puzzle.
    2. Provide access to a human customer service representative who can bypass CAPTCHA.
    3. Don't require CAPTCHAs for authorized users.

Recent CAPTCHA technology determines a human user by analyzing, among other things, the user's cookies, plugins, and javascript objects:

  • The W3C Draft Note Inaccessibility of CAPTCHA reports that Google's reCAPTCHA v2 overwhelmingly dominates CAPTCHA deployment on the web and is accessible to most users. It consists of a simple checkbox proclaiming "I'm not a robot", while under the hood the software is rigorously analyzing user data. However, the W3C Draft Note reports that keyboard navigation has been widely observed to fail, and audio CAPTCHAs are sometimes no longer being provided.
  • Interestingly, optional step 3 of not requiring CAPTCHAs appears to be feasible. The same W3C report offers "praise and gratitude" for Google's non-interactive reCAPTCHA v3, when it works. It removes v2's checkbox. The W3C authors have two caveats, both related to when v3 produces an ambiguous reliability score:
    • If the score is ambiguous Google encourages users to use reCAPTCHA v2 as backup, which has some reported barriers.
    • Methods for disambiguating an ambiguous non-interactive score must be well documented and easily implementable, or developers will use the older backup.

Related WCAG resources

Related WCAG resources

Success criteria

Techniques

Back to top