www.employment.gov.au The inaccessibility of CAPTCHA How you may be undermining the accessibility of your online service
www.employment.gov.au
The inaccessibility of CAPTCHAHow you may be undermining the accessibility of your online service
Why use CAPTCHA?
• It’s a way to stop bots from compromising your online service
– Creating accounts
– Spamming users
– Commenting on forums
Why use CAPTCHA?
• It’s free, fully automated and pretty straight forward to add
• Requires no effort to continue using it
Problems
• CAPTCHA is not accessible
– Many are difficult to use via the keyboard
• Especially with a screen reader
– Very difficult to use if you’re vision impaired
– Difficult to understand any audio challenge
Google reCaptcha
• Uses a range of criteria to determine humanness
– User behaviour on the page
– If the user has a Google account
Problem solved?
• No
– In cases when the risk analysis engine can't confidently predict whether a user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more cues, increasing the number of security checkpoints to confirm the user is valid
Do you feel confident using it?
• If you can’t be sure users will never see a CAPTCHA, can you recommend using it?
– An accessible website is made inaccessible
Captcha has been compromised
• Services exist where people solve in bulk
– CAPTCHA farms, using human labour
Background reading
• Breaking CAPTCHA
– www.troyhunt.com/breaking-captcha-with-automated-humans/
• Artificial intelligence smart enough to fool Captcha security check
– http://www.bbc.com/news/technology-41775968
Form submission times
• If a form has been submitted quickly consider it’s been sent by a bot
– Ignore the input
All reasonable responses
• Use layered security to improve the security
system
Email verification
Form submission times
Honeypot
Word CAPTCHA problem
• Need to create 100’s of question and answer combinations to ensure they don’t repeat
Besides is this a good look?
• Asking trivial questions doesn’t look good on a government website
– “what colour is the sky?”
The problem
• CAPTCHA is a frontend solution to a backend problem
– Why should users have to prove they are human
Most viable alternative
• SMS text message
• Self declaring on the account signup
• Staff assistance if the user is having problems
• Application behaviour monitoring
SMS text message downside
• Can incur significant cost if all users are now receiving a text message
– Be discerning and provide the text message option for those who actually require it
Self declaration
• Ask if the user requires extra screen reader support
– use the SMS text message option instead of CAPTCHA
Do you require extra screen reader support?
Self declare downside
• Users may not want to self-declare to be identified as different or requiring extra help
Staff assistance
• If you can’t avoid CAPTCHA, ensure there is help available
– Confirm the user outside of CAPTCHA
Staff assistance example
• A link asking the user to contact you if they encounter difficulties
If you are having problems contact us
Staff assistance
• Can be a suitable stop-gap whilst a long-term strategy for moving away from CAPTCHA is decided
– Be pragmatic
Application monitoring
• Large number of unused accounts created
• Large number of requests from the same IP address
– Investigate and block
The trade off
• Security and accessibility can co-exist
– Except when captcha is used to provide the security
Summary
• Current CAPTCHA implementations are not accessible
– Some may adhere to certain WCAG 2.0 criteria
– Assume all are inaccessible