At long last, the update to the paper I wrote (with the help and support of the WAI Protocols and Formats Working Group has been published as a W3C Working Group Note. It is now titled “Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web“, putting a finer point on the issue at hand than its predecessor, “Inaccessibility of Visually-Oriented Anti-Robot Tests: Problems and Alternatives“.
Weighing in at a hefty 3,000 words, it’s pretty long, even for me. It’s more than most people ever need to know about visual verification schemes. But hidden in there is a call to think about the problem you’re solving before relying on CAPTCHAs as a panacea. In some cases, outside of accessibility factors, its use is overkill. And in others, it may provide a dangerous false sense of security.
The new paper also gets into details the older version didn’t, and offers actual guidance at the end for solving the problem. The short version is as follows:
- If you are a major site that doesn’t have a choice
- …then it makes sense to have to use CAPTCHA, but you must allow other ways for real humans to access your service in a timely fashion.
- If you are a low-volume site such as a blog
- …don’t use CAPTCHA. Especially if it’s just to protect against posting spam comments. It’s inefficient, it’s a usability barrier for everyone, and it locks out more people than you think. Bayesian filtering is a Good Thing. I get dozens to hundreds of comment spams daily, and Spam Karma 2 for WordPress catches them all silently.
- If you are a financial services site
- …don’t use CAPTCHA-like tools for access control. New authentication systems are in use that randomize letter codes to correspond to a numeric keypad displayed on-screen. At best, the design falls into the dubious category of security through obscurity, which means it will be exploited when someone feels like it’s worthwhile. In the meantime, you’re blocking vision- and mobility-impaired users from basic tasks that would allow them to live unassisted. Until you figure it out, don’t take away those users’ autonomy for a short-term security benefit.
Have a look if you are using or considering CAPTCHAs for your site. And thanks to the Working Group, Al Gilman, Jon Gunderson, Janina Sajka, Marc-Antoine Garrigue, Dina Katabi, Kentarou Fukuda, Casey Chesnut, Sam Hocevar, Peter Krantz, Jason White and Viking At Large Charles McCathieNevile for their work on this paper and/or making access control more accessible.