Google has finally solved the CAPTCHA’s ultimate puzzle: getting rid of the need for puzzles. Everyone, especially users with disabilities, can heave a huge sigh of relief.
A CAPTCHA is a programmatic security layer used on e-commerce sites, forums, and personal account login pages to prevent automated bots from imposing themselves on the human side of the internet. You might recognize the word and audio puzzles, which for some are an irritant and for others, especially users with disabilities, a scourge that poses a complete barrier to access.
In late October of this year, Google released version 3 of its reCAPTCHA security tool, and the result is a seamless user experience that doesn’t shove the user through a gauntlet of aggravating visual and audio tests. That’s right—the distorted words, the garbled audio, and the image tiles that make you sweat under the thought, “Does the corner of a fender count as part of a car?” are finally a thing of the past.
This latest version of reCAPTCHA, which has been in beta since May, avoids the need for end-user interaction by putting more responsibility into the hands of the website administrator. Through analysis of mouse behavior, browser environment, and user web history, the new reCAPTCHA assigns an interaction score to each user. A score of 0.0 represents highly suspicious behavior, while 1.0 designates a user who poses no apparent risk. The website administrator can set a score threshold at which certain actions are taken. For instance, users assigned a score of 0.7 while logging into a site may be forced into a two-factor authentication flow; or suspicious users with a score below 0.4 posting to a message board may have their post flagged for review.
This represents a giant leap forward for users with disabilities, but the challenge isn’t over yet. The question is, how long will it take for sites to implement the new tool? Since we may have to live with older versions of reCAPTCHA until the internet catches up with the new technology, this author believes it is important to review these CAPTCHA tools along with the reasons why they cause frustration for some users and pose a complete barrier to access for others.
The Spambot Problem
Researchers at Carnegie-Mellon University developed the first CAPTCHA program in 2000 in response to a familiar need. Yahoo’s chat rooms were filled with spambots masquerading as humans and advertising competing websites. When Yahoo implemented the original CAPTCHA solution, it greatly reduced the spam problem. Before long, Microsoft and AOL joined Yahoo, employing CAPTCHA to guard their email accounts, and Ticketmaster was using it to thwart automated ticket scalpers.
By 2007, humans were wasting 160,000 hours per day solving CAPTCHA puzzles, and one of the original Carnegie-Mellon researchers, Luis von Ahn, recognized a unique opportunity to make use of this wasted time. At the same time, the Internet Archive and the Google Books Project were using optical character recognition (OCR) to digitize books, but due to damaged pages or corrupted letters (or funky Old English typeface), some words required manual human interpretation. An upgraded version of the CAPTCHA system, called reCAPTCHA, paired two distorted words for interpretation: one was random, and one was taken from a book being digitized. An accurate transcription of the random word was used as authorization, while the other was sent back to the Internet Archive database. By 2008, one year after the reCAPTCHA system was implemented, it had transcribed 440 million words (PDF, 153KB). By 2011, reCAPTCHA had helped digitize thousands of books and magazines, along with 13 million articles of the New York Times — the entire archive — from 1851 to the present day.
Although they were helping to serve an important social need, the creators of reCAPTCHA were ignoring another fundamental social issue: many users with disabilities could not pass the authentication puzzle. Blind and visually impaired users were forced to transcribe a garbled audio clip, which was so effectively designed to deter bots that it deterred human listeners as well. Users with dyslexia or a dyslexia-like symptoms, who in some estimates make up one third of internet users faced their greatest challenge: letters distorted deliberately in order to be difficult to recognize. Deaf and hard-of-hearing users found themselves in the same position as fully sighted users, squinting to pick out warped letters from the noise of a wavy background, with no recourse to the audio challenge; and deaf-blind users had no options at all, with CAPTCHA output to Braille readers being entirely impossible. Moreover, reCAPTCHA was implemented on international websites, so its reliance on the Latin alphabet posed a barrier for non-English speakers as well.
The developers behind the reCAPTCHA program, which Google acquired in 2009, largely ignored concerns and petitions from the disabled community, but they could not ignore business-driven security concerns. By 2014, optical character recognition programs and artificial intelligence could crack the text-based reCAPTCHA puzzle with 99.8% accuracy. Moreover, certain crowdsourcing efforts enabled spammers to outsource the transcription of these puzzles for fractions of a cent at a time. For this reason, in 2014 Google released reCAPTCHA version 2 (a.k.a. No-CAPTCHA).
More Secure, But Still Puzzling
The second version of reCAPTCHA presents users with a checkbox (or, in the case of invisible reCAPTCHA, nothing at all), and sometimes users are not required to solve a challenge: hence the “No-CAPTCHA” moniker. But, in cases where the system detects suspicious activity, reCAPTCHA presents a visual challenge. The visual challenge engages users in a semantic labeling task: for example, “Select all the images containing cars/storefronts/flamingos.” The audio puzzle is version 2 is still a garbled audio clip, but it is now 30 seconds long, increasing the time required for AI to crack it.
The reCAPTCHA engineers are still trying to take advantage of wasted human time. In early releases, Google attempted to leverage reCAPTCHA puzzles to improve its maps accuracy by asking users to transcribe house address numbers from Google Street View photos. Additionally, responses to the semantic labeling puzzles are fed back into the Google Image Labeler to improve Google’s image search results.
Not only did version 2 of reCAPTCHA present the same challenges to blind and visually impaired users, deaf and hard-of-hearing users, dyslexic users (especially with the street address numbers), deaf-blind users, and non-English speaking users, but it also presented a new challenge. The reCAPTCHA widget containing the visual and audio puzzles presented poor focus visibility and non-linear tabbing order, so users depending on a keyboard also met a barrier to access. Speaking from experience, none of these barriers could be avoided programmatically, as Google owns the reCAPTCHA code.
Getting With The Times
These older CAPTCHA systems are still out there, and they are joined by third-party CAPTCHA programs that do not take into account users with disabilities. For instance, companies like PlayThru (defunct as of 2012) pitted users against gamified CAPTCHAs in which the user had to drag certain items to a target using the mouse (Figure 3). Users who relied on a keyboard, screen reader or other assistive technology were once again relegated to the audio puzzle.
As part of an informal user study in July of this year, this author recruited six participants with varying levels of visual impairment to test the usability of reCAPTCHA ver2. All six participants were able to complete the CAPTCHA verification, although all six had to listen to the audio puzzle multiple times. The participants found the auditory cue extremely difficult to recognize, and the system did not announce when the challenge had expired. One participant noted that the process was “Usable, accessible in the strictest sense, but poor user experience.”
We find ourselves now in the rare situation where new technology has ridden us of long-standing barriers to access for users with disabilities. All we need now is to call on web developers to use it. So, if you recognize the need, if you desire to see change for the better, you can make a difference. The next time you run into a CAPTCHA that might pose a barrier, contact the website administrator or the developer and make the case for adopting the new standard.
Dale Reardon says:
Hi,
Has anyone integrated this better V3 into a WordPress plugin yet?
Dale.
Jeanne Erickson Cooley says:
Hey, Dale. This is how I discovered v3, through the Contact Forms 7 plugin for WP. It seems to be working well. I have yet to see how we are able to get any data back from the integration on CF7, though. I think they just have a threshold for blocking certain users that look like bots, and don’t bother the WP site owner with making the decision. I’m actually just contacting the authors of the plugin to ask about this. My day job is in accessibility, and I find this v3 to be a game-changer!
Guy Hickling says:
I consider the alternative audio version of Google’s recaptcha pretty much unusable. I rarely managed to do it within 6 attempts, and even if I can manage it within 6 times, I don’t consider that even remotely satisfactory. If I, with good hearing, take 6 attempts, how many attempts will it take someone with less perfect hearing or with cognitive issues, or some inexperienced computer user with less experience in attempting recaptchas than I have?! As for Google’s image version, I find there are many cases where you are left wondering if a particular image belongs to the acceptable set or not; many of them are ambiguous. And the poor focus indicator issue remains.
In contrast I have recently discovered BotDetect at https://captcha.com . Now this seems a much, much more accessible captcha! Try it out. The visual offerings are mostly very clear, the audio alternatives follow the visual display so many users can reconcile both when trying to understand them. And it is not limited to a narrow range of visual styles so users with different colour or vision impairments can continue clicking until they find one that suits them.
It seems to me that BotDetect is a much more accessible version than Google’s ridiculous attempt.