WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: NoCAPTCHA reCAPTCHA accessibility testing updates?

for

Number of posts in this thread: 10 (In chronological order)

From: John P. Lee
Date: Thu, Aug 27 2015 1:17PM
Subject: NoCAPTCHA reCAPTCHA accessibility testing updates?
No previous message | Next message →

Hi all,


I'm checking in to see if anyone has done any extensive accessibility testing of Google's NoCAPTCHA reCAPTCHA<https://www.google.com/recaptcha/intro/index.html> lately, particularly with regards to access on mobile devices (e.g., using VoiceOver with the Safari web browser in iOS 8.4). I've done some testing with screen readers (JAWS 16.0, NVDA 2015.3) and screen magnifier (ZoomText Mag/Reader 10.1) and had mixed results when using different browsers. For example, ZoomText AppReader does not read the "I'm not a robot" box when I use the latest version of Firefox, and checking the checkbox is not successful regardless - it pops up an alternative verification method (image selection). By the way, I used Patrick Lauke's Google reCAPTCHA test website<http://patrickhlauke.github.io/recaptcha/>; for accessibility testing.


When I tested Patrick's website with VoiceOver in Safari on my iPhone (with iOS 8.4), VoiceOver did not automatically read the "I'm not a robot" section. It would read it if I dragged my finger over it, but one would have to know that something is there for it to be effective. Is this issue a result of Google's use of Javascript for NoCAPTCHA?


I've read both positive and critical reviews of the NoCAPTCHA widget online. What's the general consensus on using this CAPTCHA solution as an accessible option? Has anyone come across specific accessibility testing done by Google on NoCAPTCHA? Do we know if they have plans to address accessibility concerns that have been identified? Is there a better, more accessible CAPTCHA solution out there?


Thanks,

John


John Lee, MS, OTR/L, ATP
Assistive Technology Specialist

Disability Resource Center, Rm 237
Cal Poly, San Luis Obispo 93407
Phone: (805) 756-5972
Email: = EMAIL ADDRESS REMOVED =
Skype: jlee245.drc
URL: drc.calpoly.edu

From: deborah.kaplan@suberic.net
Date: Thu, Aug 27 2015 1:30PM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

Google's NoCAPTCHA is basically, for all practical purposes, inaccessible.

* Many times when I have tested by screen reader, and about 95% of the time when I test with voice or keyboard, it triggers the image selection alternative. (This is not what Derek Featherstone's tests found, but this is what I have been finding more and more lately; I have been assuming that Google has been fine-tuning the robot detector and now keyboard/voice use trigger it. There could be something else going on, but it is definitely a change for the worse, across multiple platforms.)

* The image selection alternative is not keyboard or voice navigable. At all.

* The audio captcha is just as bad as any audio captchas ever are. I've never been able to solve it, anyway.

For what it's worth, this is actively taking away my ability to use important parts of the web. For example, something about my search engine frequently triggers Stack Overflow's "verify you are not a robot" page, and that uses NoCAPTCHA. Since I literally cannot use NoCAPTCHA by voice or keyboard, I have had real trouble getting to Stack Overflow since they made the switch -- which as you can imagine is actually making me worse at my job.

> It would read it if I dragged my finger over it, but one would have to know that something is there for it to be effective. Is this issue a result of Google's use of Javascript for NoCAPTCHA?

JavaScript can be perfectly accessible. This is a result of the NoCAPTCHA team not writing accessible JavaScript.

> I've read both positive and critical reviews of the NoCAPTCHA widget online. What's the general consensus on using this CAPTCHA solution as an accessible option?

Don't.

File bugs with Google, but for now, don't use it. Until they fix this, it is a big flight of stairs into way too many parts of the web.

https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts

Deborah Kaplan

From: Jennison Mark Asuncion
Date: Thu, Aug 27 2015 3:41PM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

In the absence of using NoCAPTCHA, curious if anyone has worked
successfully with their org's Info Security team to implement an
accessible alternative to it? If so, what was the solution?

Jennison

From: Brian Richwine
Date: Fri, Aug 28 2015 2:07PM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

We provided a suggestion at our school, but it wasn't (at least not yet)
acted upon. In this case reCAPTCHA was in use on a form for resetting the
user's password. Since reCAPTCHA serves no real purpose towards proving
that user is who they claim to be, we suggested that the person could phone
the 24 hour support line and say they needed to get past that particular
form. At this point, we know it's a human so the support person provides an
alternate verification code that the user can type in to continue.

On Thu, Aug 27, 2015 at 5:41 PM, Jennison Mark Asuncion <
= EMAIL ADDRESS REMOVED = > wrote:

> In the absence of using NoCAPTCHA, curious if anyone has worked
> successfully with their org's Info Security team to implement an
> accessible alternative to it? If so, what was the solution?
>
> Jennison
> > > > >

From: Jennison Mark Asuncion
Date: Fri, Aug 28 2015 3:23PM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

One option I've seen on the hilton.com site (their sign-in form) is
that there will be a field that essentially says - this field is for
robots, do not do anything here, with the idea being that a bot will
put some sort of text into the field and thus will be caught.


Jennison

On 8/28/15, Brian Richwine < = EMAIL ADDRESS REMOVED = > wrote:
> We provided a suggestion at our school, but it wasn't (at least not yet)
> acted upon. In this case reCAPTCHA was in use on a form for resetting the
> user's password. Since reCAPTCHA serves no real purpose towards proving
> that user is who they claim to be, we suggested that the person could phone
> the 24 hour support line and say they needed to get past that particular
> form. At this point, we know it's a human so the support person provides an
> alternate verification code that the user can type in to continue.
>
> On Thu, Aug 27, 2015 at 5:41 PM, Jennison Mark Asuncion <
> = EMAIL ADDRESS REMOVED = > wrote:
>
>> In the absence of using NoCAPTCHA, curious if anyone has worked
>> successfully with their org's Info Security team to implement an
>> accessible alternative to it? If so, what was the solution?
>>
>> Jennison
>> >> >> >> >>
> > > > >

From: Dejan Kozina
Date: Sat, Aug 29 2015 12:32AM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

A variant of this I've used often is to set the 'trap' input to
'display: none', so only bots and scrapers care to fill it in, human
visitors aren't even aware of it.

djn

On 28/08/2015 23:23, Jennison Mark Asuncion wrote:
> One option I've seen on the hilton.com site (their sign-in form) is
> that there will be a field that essentially says - this field is for
> robots, do not do anything here, with the idea being that a bot will
> put some sort of text into the field and thus will be caught.
>
>
> Jennison

--
-----------------
Dejan Kozina
Dolina 346 (TS) - I-34018 Italy
tel.: +39 040 228 436 - cell.: +39 348 7355 225
e-mail: = EMAIL ADDRESS REMOVED =
http://www.kozina.com/
skype: dejankozina

From: Gijs Veyfeyken
Date: Mon, Aug 31 2015 2:18AM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

Mollom (https://www.mollom.com/ <https://www.mollom.com/>) uses the phonetic alphabet (alpha, bravo, charlie,...), making the audiocaptcha very easy to solve, even if you're hard of hearing.
Live example at the bottom of this page (Dutch):
https://www.bestuurszaken.be/nieuws/gezocht-collega%E2%80%99s-om-mee-te-sparren <https://www.bestuurszaken.be/nieuws/gezocht-collega%E2%80%99s-om-mee-te-sparren>

They've also switched from a Flash-button to an HTML5 audio player. So I think we can consider this accessible.
But SPAM-prevention that doesn't require an action from the user is still the best way to go (honeypot, time analysis or other).

Kind regards,

Gijs

---
Gijs Veyfeyken
AnySurfer - towards an accessible internet
http://www.anysurfer.be/en <http://www.anysurfer.be/en>;
Brussels - Belgium

From: deborah.kaplan@suberic.net
Date: Mon, Aug 31 2015 8:07AM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

On Mon, 31 Aug 2015, Gijs Veyfeyken wrote:

> Mollom (https://www.mollom.com/ <https://www.mollom.com/>) uses the phonetic alphabet (alpha, bravo, charlie,...), making the audiocaptcha very easy to solve, even if you're hard of hearing.


I loved that, and did find it both accessible and easy to solve. Although if it became widespread, a computer could solve it just as easily.

Like all audio captchas, it doesn't help deafblind people.

I am still very fond of TextCaptcha (http://textcaptcha.com/), although that site as it exists is English-only, and certainly has cognitive disability implications.

To be fair, every single captcha that exist has cognitive disability applications; TextCaptchas are merely much more obvious.

> But SPAM-prevention that doesn't require an action from the user is still the best way to go (honeypot, time analysis or other).

Agreed.

If you make the garbage can so secure that a bear cannot get into it, it will be too secure for hikers to bother using. I know the bear-proof trash can analogy for security-related UX has been made for at least a decade -- http://innocuous.org/articles/2010/11/21/captchas-the-bear-proof-trash-can-problem/ is one example -- but that's because it's a good one. The arms race against spammers is much like the arms race against password crackers; if you are fighting against those who are willing to throw armies of pennies-on-the-solve labor or massive bitcoin-mining systems against a problem you want rank-and-file users to be able to solve, you are going to lose. Pick a different battle.

Until then, the real losers are going to be people with physical disabilities (whose technological solutions to computer use often resemble automated captcha solvers), or people with cognitive disabilities (who can be stymied by many types of problems computers can solve).

Deborah Kaplan

From: Cliff Tyllick
Date: Mon, Aug 31 2015 9:02AM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | Next message →

> Although if it became widespread, a computer could solve it just as easily.

If a computer could solve it only as easily as a human, that would still be an improvement on current audio CAPTCHAs. One study showed that computers did better than humans against audio CAPTCHAs in use at that time by google.com and digg.com:

http://www.captcha.net/Breaking_Audio_CAPTCHAs.pdf

When you consider the impact of frustration—humans have usually dropped out no later than the second failed attempt and never seem to try more than 5 times; computers never tire out—then computers do far better than humans at solving current audio CAPTCHAs.

I guess that still accomplishes the objective of telling computers and humans apart: if it solves the audio CAPTCHA on the first attempt, it's probably a computer. If it's still trying after 5 failures, it definitely is a computer.

So even if Mollom's approach gives humans only equal footing with computers, it's still a significant improvement.

Cliff Tyllick
Accessibility Specialist
Texas Department of Assistive and Rehabilitative Services
= EMAIL ADDRESS REMOVED =
512-377-0366

Sent from my iPhone
Although its spellcheck often saves me, all goofs in sent messages are its fault.

>> On Aug 31, 2015, at 9:07 AM, = EMAIL ADDRESS REMOVED = wrote:
>>
>> On Mon, 31 Aug 2015, Gijs Veyfeyken wrote:
>>
>> Mollom (https://www.mollom.com/ <https://www.mollom.com/>) uses the phonetic alphabet (alpha, bravo, charlie,...), making the audiocaptcha very easy to solve, even if you're hard of hearing.
>
>
> I loved that, and did find it both accessible and easy to solve. Although if it became widespread, a computer could solve it just as easily.
>
> Like all audio captchas, it doesn't help deafblind people.
>
> I am still very fond of TextCaptcha (http://textcaptcha.com/), although that site as it exists is English-only, and certainly has cognitive disability implications.
>
> To be fair, every single captcha that exist has cognitive disability applications; TextCaptchas are merely much more obvious.
>
>> But SPAM-prevention that doesn't require an action from the user is still the best way to go (honeypot, time analysis or other).
>
> Agreed.
>
> If you make the garbage can so secure that a bear cannot get into it, it will be too secure for hikers to bother using. I know the bear-proof trash can analogy for security-related UX has been made for at least a decade -- http://innocuous.org/articles/2010/11/21/captchas-the-bear-proof-trash-can-problem/ is one example -- but that's because it's a good one. The arms race against spammers is much like the arms race against password crackers; if you are fighting against those who are willing to throw armies of pennies-on-the-solve labor or massive bitcoin-mining systems against a problem you want rank-and-file users to be able to solve, you are going to lose. Pick a different battle.
>
> Until then, the real losers are going to be people with physical disabilities (whose technological solutions to computer use often resemble automated captcha solvers), or people with cognitive disabilities (who can be stymied by many types of problems computers can solve).
>
> Deborah Kaplan
> > > >

From: Jonathan H
Date: Tue, Sep 01 2015 3:57PM
Subject: Re: NoCAPTCHA reCAPTCHA accessibility testing updates?
← Previous message | No next message

This is all well and good discussing it here, but I think it might also be
perhaps helpful for it to be also discussed on the actual group for
Google's CAPTCHA offerings over at
https://groups.google.com/forum/#!forum/recaptcha

This way it may get more attention from Google themselves, too.