While CAPTCHAS might be necessary for security purposes, they have a negative impact on usability.
Yesterday I eagerly hopped onto a Discord call with a friend of mine. She recently purchased her first gaming computer, and we were excited to play some games together. Straight away, I told her to make an account with Steam — a digital platform where users can find and download video games. In order to create a Steam account, you only need to enter an email, password, username, and country of residence.
So… why did it take her 10 frustrating minutes to make a simple account?
Oh, right…it’s because she’s a robot.
Well, at least Steam seems to believe she’s a robot. In order to make an account with Steam you must complete a simple CAPTCHA. You know, the box you check that says “I’m not a robot”? Sometimes a short test will come up. Maybe you need to type in the letters shown in an image or select images of certain objects. Seems simple enough, right? Not exactly.
CAPTCHAS are a great way to prevent fake accounts and spam. Different platforms use them for all kinds of reasons. For example, a platform that sells concert tickets might use a CAPTCHA to prevent robots from buying bulk tickets that they can then scalp for twice the price. CAPTCHAS can also prevent account hijackings from attackers that try to hack accounts by repeatedly trying to log in using hundreds of different passwords.
There is no doubt that there are plenty of good reasons to use a protective CAPTCHA. Unfortunately, there are plenty of CAPTCHAS also stumping customers and consumers. Annoying, difficult, or unintuitive CAPTCHAS can greatly tarnish the user experience. In some cases, people may get so frustrated or spend so long trying to prove that they aren’t made of metal that they give up on the program entirely. This is something I experienced firsthand just yesterday.
As my friend was making her account, I heard her make a frustrated groan.
“What’s wrong?” I asked.
“I can’t beat the stupid CAPTCHA,” she grumbled.
“Are you a robot?”
“I guess I am now.”
We laugh. After two more minutes pass, she starts to get angry at it. She wanted to make sure she isn’t “being dumb” so she proceeded to share her screen with me.
Two more minutes pass.
Great, now we’re both robots. At this point, we are both yelling at the CAPTCHA.
“I KNOW WHAT A BICYCLE LOOKS LIKE, I SWEAR!”
At this point, we aren’t sure if the site is glitching or our brains are. She refreshed the page, but alas, our mental software isn’t up to par. At this point she wanted to give up and use a different platform or just play a game we already had. I encouraged her to keep going for another couple minutes before giving up on it. A few more refreshes and attempts later, we finally defeated our robot overlords. Two big sighs of relief. I knew that if I wasn’t there laughing with her, she would have easily gotten frustrated and abandoned the platform.
I understand that CAPTCHAS are necessary for security purposes, but there is a balance between safety and usability. I decided to do some more research into difficult CAPTCHAS, and stories like these are more common than I thought.
There are various kinds of CAPTCHAS, one of the most common is where users need to type in a specific set of numbers or letters shown in a funky font on screen. With these kinds of tests, however, a large-scale study done by Baymard Institute found that “8.66% of all users will mistype their first attempt (it’s 29.45% if the CAPTCHA is case sensitive).” They also found that even the existence of a CAPTCHA can cause abandonment.
“Also alarming was that an additional 1.47% of the subjects abandoned a larger incentivized survey when presented with the CAPTCHA at the end of the survey. These subjects didn’t even attempt to fill the CAPTCHA, despite having completed 80% of the survey and only missing the two CAPTCHAs to qualify for their monetary compensation.” — Baymard Institute
That sucks, huh? Now consider being blind or visually impaired. Suddenly frustrating becomes impossible. According to a report by the World Health Organisation, there are 284 million people in the world who are visually impaired, and 39 million people are blind. Screen readers can’t process images, so the CAPTCHA requirements for matching images or typing out a funky string of letters or numbers quickly becomes impossible.
What about other accessibility issues? Did you know that dyslexia affects 20 percent of the population? That warped string of numbers and letters is extra painful for approximately 1/5th of your user base.
It isn’t just individuals with a disability who find CAPTCHAS impossible. According to W3C, “traditional CAPTCHAs have generally presumed that all web users can read and transcribe English-based words and characters, thus making the test inaccessible to a large number of non-English speaking web users worldwide.” W3C also argues that, since many users will need to make multiple attempts, CAPTCHAS are also inaccessible to individuals with anxiety disorders and other cognitive or learning disabilities.
While CAPTCHAS might be necessary for security purposes, they commonly have a negative impact on usability. When implementing these into your designs, make some careful consideration as to if you really need one. In some cases, however, they are necessary. So then, how can we make them more user-friendly?
In order to make CAPTCHAS accessible for everyone, we need some alternatives. We need to avoid image-based CAPTCHAS whenever possible. Images can’t have alt-text, since it would defeat security purposes. In turn, users using a screen-reader can’t access it. What should we use then? I’ve personally never seen a CAPTCHA without an image attached, minus the simple box click. The simple box click, however, is easy for hackers to get around these days. So what can we use? Let’s take a look at a few examples.
1. Text CAPTCHAS
Text CAPTCHAS ask users a simple question in order to prove their validity. For example:
- What is the 4th letter in the word “heartfelt?”
- Which of Marcus, dishes, or banana is the name of a fruit?
- What is eight-hundred and forty three as a number?
According to Vision Australia, “These questions are designed for the intelligence of a seven-year-old child. The biggest problem with logic questions is that they’re specific to a language, usually English.”
Versions of text CAPTCHAS also exist in the form of logic puzzles. One of these may present a simple math problem or a basic question. For example, “Which of these don’t belong: dog, cat, bird, television?”
The problem here lies with individuals who have cognitive or learning disabilities. Someone who is “living with dyscalculia will understandably find even simple arithmetic puzzles challenging.”
2. Email/SMS verification
This is when a program sends a code to your phone or email that you need to enter into the website in order to verify yourself. It can also come in the form of a link that you need to click on. While this is an effective way to combat accessibility issues, it can be extremely annoying for users. I can’t even count the number of grumbles and sighs I’ve let out when encountering these. As a user, I only really appreciate these when they are protecting something with important information, like my bank account.
3. Honey pots
This security measure is so good that I didn’t even know it existed until the time of writing this. Honey pots are text fields that can only be seen by bots. “They trap bots like flies by having them complete form fields.”
If data is inserted into a honey pot, the website can be fairly certain that the action was not done by a real user. Unfortunately, this bot trap includes screen readers. Screen readers can see the honey pot fields and users might trap themselves. We can get around this by including a warning like “Leave this field blank” but this can easily confuse users who don’t know about these traps.
4. Audio CAPTCHAS
Initially I figured any audio CAPTCHAS would be a great alternative. When they were put to the test by Towson professor Dr. Jonathan Lazar, that was not the case.
“Interestingly enough we actually found that only 46 percent of the time could blind users successfully complete the audio CAPTCHAs. The average time to complete an audio CAPTCHA correctly was 65 seconds…
Clearly audio CAPTCHAs are not usable for many blind people.” — Dr. Lazar
HIPUU (Human Interacting Proof Universally Usable) is an audio CAPTCHA specially tested and designed by Dr. Lazar and other researchers at Towson University and the National Federation of the Blind.
In the example below, users could either look at the photos or play the audio. The audio would state “birds, drums, lion” and the user could simply type in what they hear. The CAPTCHA also accepts plural versions, singular versions, and isn’t case-sensitive.
“We did a usability test with the first version of HIPUU with five blind users and five sighted users, each completing fifteen different tests. First, the interesting thing is that sighted users had a 100 percent task success rate. Users who could see were successful, and they actually liked this better than the traditional twisted-text CAPTCHA. Sighted people don’t like those CAPTCHAs either. By contrast, when we had the blind users tested, they actually had a 90 percent success rate–90.6 percent on the first try. And on the second try it actually went up to 100 percent. The average task-completion time was 35.2 seconds.” — Dr. Lazar
We have some great alternatives to help the majority of people solve CAPTCHAS, but the bots are solving them as well. As time goes on and technology advances, CAPTCHAS as a whole are beginning to be an outdated security measure.
For example, the warped text CAPTCHAS are vulnerable to character recognition. In order to solve this, the text is warped further. Now the bots can’t read it… but neither can the users. The text becomes “less feasible even for humans who are well endowed with sensory and cognitive capacity to solve CAPTCHA challenges reliably, ultimately making character-based CAPTCHAs impractical [captcha-ocr].”
Alright, so no warped text. What about audio CAPTCHAS? Alas, there are still some problems to deal with. According to a study at the University of Maryland, there is a 90% success rate at cracking Google’s audio reCAPTCHA using Google’s own speech recognition service.
With audio, text, and image recognition, it seems that CAPTCHAS are easy for bots and difficult for humans. Most people view CAPTCHAS as a necessary evil in order to ensure online safety, but that just isn’t the case anymore.
“There must first be a shift in how internet firms think about security to block bots effectively. It should no longer be acceptable for internet firms to place the burden of proof on their customers to prove they’re human. Understandably, this is easier said than done — and a far more involved process than simply putting some graphics on your website and claiming bots can’t figure it out. However, the difficulty does not imply the impossible.” — Khushbu Raval
Unfortunately, I don’t have the all-encompassing solution. This is a difficult problem that people have been trying to solve since 2003. Hopefully this article or one of the many online resources on this topic will inspire someone to try something out of the box. When trying something new, just remember to do extensive research. Test the solution on a variety of different browsers, platforms, and a variety of people including those with and without disabilities.
Even with the more accessible CAPTCHA options, you should be aware that any tool or security measure that interrupts a user’s goal will have a negative impact on their experience. Even if the CAPTCHA is quick and accessible, there is a good chance it will lead to at least a small percentage of abandonment.
Now, if you don’t mind me, I’m going to go rest my circuit boards.