Is Your CAPTCHA Keeping Humans Out?

Use the most up-to-date CAPTCHA — or, better yet, don’t use one at all.
Tammy Xu
March 26, 2021
Updated: July 8, 2021
Tammy Xu
March 26, 2021
Updated: July 8, 2021

Today’s internet-connected devices provide a wealth of potential targets for bad actors to conscript into botnets. Attackers use the sheer number of devices in botnets to overwhelm systems in attacks such as distributed denial-of-service (DDoS).

DDoS tends to target pages on websites that use more processing power, such as login pages or endpoints for database queries, because that makes it easier to slow down the victim’s servers and make its website unusable. That’s why CAPTCHA services exist. They’re those little challenges asking you to select all the images of fire hydrants from a grid, click on a checkbox or — in older versions of the tool — decipher a word displayed in warped script.

John Sweet, an accessibility specialist at Charter Communications, said CAPTCHA prevents bots from reaching sensitive and processor-intensive areas of websites by hiding those areas behind challenges only humans should be able to solve.

“CAPTCHA tries to figure out whether the person signing in is a real person, or is a script or bot of some kind,” Sweet explained.

It gives websites a significant level of protection. Bots can still target a website, but because processor-intensive operations are hidden behind CAPTCHA, attackers need more bots to successfully crash a website.

“It stands as a barrier to authentication, or logging into secure websites.”

At the same time, the design of CAPTCHA is critical. False negatives result in bots slipping through and potentially damaging a website. But arguably, an even more important concern is false positives — how often do CAPTCHAs filter out humans?

Some human users find these challenges difficult to pass. That’s a problem, because CAPTCHA is used in many critical websites, such as utility services. Especially during the COVID-19 pandemic, when more services need to be accessed virtually, CAPTCHA false positives could prevent people from accessing essential services.

“It stands as a barrier to authentication, or logging into secure websites,” Sweet said. “If you can imagine the frustration — if you were blind, visually impaired, or if you had a motor impairment — of not being able to pay your mortgage or your rent, or to buy essentials during a pandemic or lockdown, or to log your work hours? That’s the importance of this for people who have disabilities.”

In addition to the essentials, not being able to get past CAPTCHA also prevents everyone from enjoying equal access to all kinds of online services.

MORE ON ACCESSIBILITYAdobe’s Approach to Accessibility? Everyone’s Responsible.

 

Accessibility Varies Across Different Types of CAPTCHA

Not all CAPTCHAs are equally accessible. The first versions had users deciphering distorted words and numbers and typing them into an input box. Harrison Tu, accessibility engineer at auditing company Accessible360, said those early CAPTCHAs should not be used on websites today.

“Those are totally inaccessible,” Tu said. “Just horrible. Don’t use them, there’s no way to make those accessible.”

That’s because that kind of CAPTCHA is entirely visual, making it impossible for users with visual impairments to use them. When Google acquired reCAPTCHA, a CAPTCHA service company, that was the type of challenges it used. (Currently, reCAPTCHA is the most popular type of CAPTCHA, used by 93 percent of websites using CAPTCHA services, according to Built With.)

Tu said reCAPTCHA version 2, introduced in 2014, is an improvement. Version 2 analyzes the way a cursor moves across the page as it clicks on a checkbox and analyzes whether the movement is human. It’s able to validate many users this way based on the complexity of the movement. For the rest, it presents the option of an audio or visual challenge, such as choosing a certain type of image from a grid of images.

“I don’t think you like it when you get to a website and have to squint and type the characters.”

But reCAPTCHA version 2 still has its issues. Not all users use a trackpad or a computer mouse, increasing the likelihood that they get labeled as a bot and given visual or audio challenges. And some users with both visual and auditory impairments still get stuck at those challenges. Tu said even users who don’t use accessibility features find interactive CAPTCHAs difficult to work with.

“They do cause a lot of user abrasion,” he said. “I don’t think you like it when you get to a website and have to squint and type the characters.”

Google released reCAPTCHA version 3 in 2018, which eliminated user challenges in favor of returning a probability score on whether the user is human. Version 3 puts the responsibility of issuing challenges on web developers, giving them the flexibility to decide when and how to challenge a user with a low probability score. Developers can choose to validate users by  authenticating them — through an email confirmation link or two-factor authentication — instead of issuing the standard visual or audio CAPTCHA challenges.

“If you fall under a certain confidence level, which can be assigned by the site administrator, instead of giving you a challenge to solve, they’ll do some other type of authentication,” Sweet said. “They offer these solutions that, while they’re kind of annoying because you have to go to a different app or you have to go to your phone, are still accessible and better than those visual challenges.”

 

Don’t Create Your Own CAPTCHA

When Tu ranks reCAPTCHA options for accessibility, he puts version 2 at the bottom end of acceptable use, version 3 above that, and foregoing CAPTCHAs at the very top.

“Think before you use it,” Tu said. “Is it really worth it? Is it really doing anything to help your business? And are you causing unnecessary accessibility frustration and user abrasion by adding this for no additional gain?”

But, perhaps more importantly, he recommends developers use an existing CAPTCHA standard and not implement their own.

“Because no matter what, when you create your own, you’re going to be blocking someone,” Tu said. “Deaf-blind users can most of the time get through the reCAPTCHA v2 — but if you create one that just has an image, or even an image and audio, you’ll be blocked in all instances. So just really think through all the different scenarios.”

MORE ON ACCESSIBILITYHow Web Accessibility Democratizes the Internet

Great Companies Need Great People. That's Where We Come In.

Recruit With Us