Print this page


Nilofar Ansher



02/14/2012

The Importance of Covering All Bases When Implementing CAPTCHA

Tell a Friend

If Captcha must be used to maintain security for a site, then content providers must ensure that its accessibility for persons with a range of disabilities, writes Bryan Garaventa, SSB Bart Group.

In this article, we discuss the purpose and usage of Captcha. Specifically, how Captcha is used and made accessible, and the benefits and drawbacks of a specific Captcha implementation.

Captcha is a service that protects interactive websites from automated scripts, called bots

Captcha is a service that protects interactive websites from automated scripts, called bots, that are used by spammers, hackers and data harvesters to flood systems with false data and to gather information.

Captcha works as a gateway between the user and the information that the user wishes to access, by requiring a specific unpredictable action by the user before the user is granted access. This makes it impossible for bots to programmatically gain access without direct human interaction.

The most secure way to do this is to provide an image that cannot be readily scanned using Optical Character Recognition (OCR), and request that the user type the characters that are displayed. However, this implementation introduces critical accessibility issues, such as the inability of screen reader users who are blind to identify the content of such images and the inability of users with low vision to recognize lettering with minimal or varying contrast levels and background obscuring effects.

If Captcha must be used to maintain security for a site, the following points must be covered to ensure accessibility:

  • The Captcha image must have sufficient foreground and background color contrast to ensure that users with low vision will be able to see the lettering
  • The Captcha must include an audio alternative to ensure accessibility for screen reader users (providing a telephone number is not sufficient)

There are many services that provide Captcha for interactive websites, with varying degrees of accessibility and usability. For instance, Cognitive Captcha systems, which requires users to solve a logic problem, is not scalable in different languages, nor does it take into account the limitations of cognitive impairments.

Currently the most accessible, free Captcha service available is ReCaptcha: http://www.google.com/recaptcha. ReCaptcha uses good quality synthesized speech to identify keywords to screen reader users in addition to the visually displayed image. Since a human voice recording is not used, this implementation is easily scalable and supports multiple languages. Even here though, improvements can be made. For instance, in this ReCaptcha example the error messages are visible to screen reader users even though none are displayed visually. (e.g. “Type the two words:Type what you hear:Incorrect. Try again.” is announced using JAWS)

Several alternatives to Captcha are now available, which are growing in popularity.
* Akismet (http://akismet.com/)
* Mollom (http://mollom.com/)
* SBlam! (http://sblam.com/en.html)

These services apply spam detecting algorithms on submitted data to automatically detect and remove spam without requiring direct user interaction. In some cases a Captcha is displayed, but only when the scan is uncertain. Systems that use heuristics, such as Akismet, are good long-term solutions that support scalability without requiring a Captcha.

When implementing a Captcha solution for an interactive website, it’s very important to cover all the bases to ensure accessibility for all user types. The best way to accomplish this, is to implement a service that does not require the use of a visual Captcha.

Reblogged from SSB Bart Group's blog section, posted by Bryan Garaventa.