Captcha should it stay or should it go

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), are a system to try and check that it is a person operating the web page and not a computer script. See the official CAPTCHA page for more information.

CAPTCHA’s and Accessibility

These have been a continual problem for accessibility. One of the most common reasons is because the popular image CAPTCHA makes the assumption that the person is able to see the image. The Section 508 US guidelines say that an audio CAPTCHA must be used with image CAPTCHA’s to help people unable to see.

However, this does not address those people who may have both sight and hearing loss or those people with reading difficulties such as different language or dyslexia. There are different styles of CAPTCHA from image, audio, question or challenge based. Each giving a barrier to different groups of people.

Are CAPTCHA’s effective

You may use CAPTCHA’s for many reasons from reducing spam, reducing password hacks to validating polls. However, it is not a full proof solution and adds both an accessibility barrier plus an additional layer of friction to user experience.

The term friction is the amount of things someone will need to do to complete a single task. So by adding a CAPTCHA, it adds to the number of things someone has to do to complete a form, signing or vote etc. Often CAPTCHA’s are difficult to get right, so may take a person several attempts. See this article Do CAPTCHA’s block spam or your readers.

This has made people turn away when coming across a CAPTCHA, which if you are in business, may lose you custom. Read this article CAPTCHA’s vs. Spam bots for some more different types of CAPTCHA’s.

Remember that CAPTCHA’s that depend on anything other than HTML client-side will not work for all cases. As the fact it depends on something that may not be supported in the browser viewing it gives it a floor. For example CAPTCHA’s that use JavaScript depend on the persons browser having JavaScript enabled.

My conclusion

I believe it is simply not possible to have a computer script check with 100% accuracy that it is a person using a web page control while maintaining a high level of accessibility. Plus the additional level of friction may have a negative effect by putting people off using your web page.

However, there are a few basic things you can do like using server-side spam filters or form validation. You could also use time measurements between the first page request and the subsequent associated post request. If this time is only a fraction of a second or no more than a couple of seconds, chances it will be a bot and not a person. Both these methods add no friction to the user experience and are transparent by working in the background.

Another idea is to use a selection of radio buttons and have the default selection to be something like “I am a bot, choose another option if you are human”. This does add a small amount of friction but doesn’t impact accessibility as long as the form is correctly marked up and the label text is easy to follow.

The truth is you can’t have 100% security you can only make a judgement on how much security you need and how much risk is taken. If your resources allow for it, you could have people manually checking all submissions but for most cases, this level is either un-manageable or just not required.

Have your say

Do you use CAPTCHA’s or do you despise CAPTCHA’s?

All views, thoughts and comments welcome.