the inaccessibility of captcha
TRANSCRIPT
www.employment.gov.au
The inaccessibility of CAPTCHAHow you may be undermining the accessibility of your online service
Why use CAPTCHA?
• It’s a way to stop bots from compromising your online service
– Creating accounts
– Spamming users
– Commenting on forums
Why use CAPTCHA?
• It’s free, fully automated and pretty straight forward to add
• Requires no effort to continue using it
Problems
• CAPTCHA is not accessible
– Many are difficult to use via the keyboard
• Especially with a screen reader
– Very difficult to use if you’re vision impaired
– Difficult to understand any audio challenge
Google reCaptcha
• Uses a range of criteria to determine humanness
– User behaviour on the page
– If the user has a Google account
Problem solved?
• No
– In cases when the risk analysis engine can't confidently predict whether a user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more cues, increasing the number of security checkpoints to confirm the user is valid
Do you feel confident using it?
• If you can’t be sure users will never see a CAPTCHA, can you recommend using it?
– An accessible website is made inaccessible
Captcha has been compromised
• Services exist where people solve in bulk
– CAPTCHA farms, using human labour
Background reading
• Breaking CAPTCHA
– www.troyhunt.com/breaking-captcha-with-automated-humans/
• Artificial intelligence smart enough to fool Captcha security check
– http://www.bbc.com/news/technology-41775968
Form submission times
• If a form has been submitted quickly consider it’s been sent by a bot
– Ignore the input
All reasonable responses
• Use layered security to improve the security
system
Email verification
Form submission times
Honeypot
Word CAPTCHA problem
• Need to create 100’s of question and answer combinations to ensure they don’t repeat
Besides is this a good look?
• Asking trivial questions doesn’t look good on a government website
– “what colour is the sky?”
The problem
• CAPTCHA is a frontend solution to a backend problem
– Why should users have to prove they are human
Most viable alternative
• SMS text message
• Self declaring on the account signup
• Staff assistance if the user is having problems
• Application behaviour monitoring
SMS text message downside
• Can incur significant cost if all users are now receiving a text message
– Be discerning and provide the text message option for those who actually require it
Self declaration
• Ask if the user requires extra screen reader support
– use the SMS text message option instead of CAPTCHA
Do you require extra screen reader support?
Self declare downside
• Users may not want to self-declare to be identified as different or requiring extra help
Staff assistance
• If you can’t avoid CAPTCHA, ensure there is help available
– Confirm the user outside of CAPTCHA
Staff assistance example
• A link asking the user to contact you if they encounter difficulties
If you are having problems contact us
Staff assistance
• Can be a suitable stop-gap whilst a long-term strategy for moving away from CAPTCHA is decided
– Be pragmatic
Application monitoring
• Large number of unused accounts created
• Large number of requests from the same IP address
– Investigate and block
The trade off
• Security and accessibility can co-exist
– Except when captcha is used to provide the security
Summary
• Current CAPTCHA implementations are not accessible
– Some may adhere to certain WCAG 2.0 criteria
– Assume all are inaccessible