Summary

hCaptcha is designed to stop bots by distinguishing them from people. Visual tests are a convenient tool for this, but not everyone can solve a visual challenge.

For this reason we have designed simple, painless alternatives to let online services using hCaptcha preserve accessibility for all with full Section 508 and WCAG 2.1 AA compliance.

We offer two methods of accommodation that accessibility users may encounter.

The first is a purely text-based alternative humanity verification challenge that some services may choose to enable, which is available by choosing the "Text Challenge" option in the hCaptcha widget menu when enabled on a given website or app.

The second is a universal accessibility authorization option that is available on all services using hCaptcha by default. It is designed to be much more accessible than legacy audio challenges, serving not just people with visual impairments but also those with auditory processing issues or other needs for accommodation that neither visual nor auditory challenges can address.

How it works: first, an accessibility user signs up via the accessibility signup page, which is prominently linked in the hCaptcha widget info page. They are given an encrypted cookie that can be used several times per day, but must be refreshed periodically via login.

When a challenge is presented to an accessibility user on a site using the hCaptcha service, they will automatically pass.
‍

FAQ

Q: Is  hCaptcha Section 508 + WCAG 2.1 AA compliant?
A: We believe so: all users with any form of impairment who are able to browse the web and enter text on forms can access services protected by hCaptcha upon registration. However, this is not legal advice: you should perform your own evaluation, taking into consideration your particular implementation to ensure this is the case for your deployment.

Q: What is hCaptcha's role in providing accessibility accommodations?
A: hCaptcha offers a wide variety of security services with many configuration options. These include completely passive security options like hCaptcha Enterprise Passive mode, and several types of humanity verification challenges that offer strong security with a variety of accessibility tradeoffs. The online service using hCaptcha is responsible for deciding whether the provided accessibility options meet its needs, or whether it prefers to combine strong security measures from hCaptcha with alternative accessibility options or procedures for accommodation.

Q: How are text-based challenges impacted by large language models ("LLMs")?
A: hCaptcha has worked for years on generative AI use and abuse, including LLM detection. We have integrated a variety of defenses into the hCaptcha Enterprise product suite with LLMs in mind.

Q: Are you working on other accessibility ("a11y") options, like audio? 
A: Previously popular options like audio captchas discriminate against many a11y users and are easily defeated by modern machine learning techniques. This has forced current audio challenges to become more and more difficult, introducing noise, odd timing, unusual word combinations, and so on to defeat attackers. We are thus less enthusiastic about this approach vs. avoiding the challenge altogether, but will consider it if there is demand from the a11y community.

However, we are very interested in Privacy Pass for the Accessibility use case. We believe combining our current a11y approach with Privacy Pass issuance will allow a11y users to browse safely, secure in the knowledge that their traffic is more private, while restricting the abuse by bot operators that inevitably occurs when a11y options are available. We are active participants in the IETF working group standardizing this new technology.

Q: What about privacy? Does registration expose a11y browsing data in some way? What do you do with the email?
A: hCaptcha is designed for privacy from the ground up. It is very different than traditional options like reCAPTCHA that are owned by ad networks, who have an incentive to track you around the web and associate you with a real identity.

We never use accessibility emails or info for any purpose other than facilitating a11y use and preventing abuse. Our privacy policy has comprehensive and authoritative answers as to how we use data, but the short answer is we have no interest in associating you as a person with your browsing history.

We are also currently working on a cryptographic solution to rapidly discard your email address while still preserving our ability to prevent abuse, complementing our Privacy Pass work.

For Accessibility Users: Q&A and Troubleshooting Guide

Q: I'm still seeing a challenge after setting the cookie. What's causing this?
A: This is typically due to using an aggressive ad blocker or anti-cookie extension, or a setting that blocks "cross-site" cookies, in this case a cookie for hcaptcha.com that is set or checked by the hCaptcha JS on a different site, like the one you are visiting.

hCaptcha accessibility cookies work with all popular browsers and ad blockers with their standard settings, so typically failures are due to "anti-anti-adblock" scripts or similar rulesets targeting particular sites.

Solutions:

1. Whitelist hcaptcha.com and *.hcaptcha.com cookies in your ad blocker or browser security extension.
2. If you are using the Brave browser, which does not (as of April 2020) appear to have any kind of cookie whitelist, go to Preferences -> Shields -> Cookies and choose "Allow All Cookies."
3. If you are using the very latest version of Safari on either the recently released OS X 10.15 or iOS 13.4, Apple has just changed the behavior of Safari related to third-party cookies, blocking all of them by default. We are implementing a solution, but in the meantime please visit Safari Preferences, Privacy section, and uncheck "Website tracking: Prevent cross-site tracking" to enable the accessibility cookie to function as expected.

Q: I use multiple devices. Do I need to sign up multiple times?
A: No. Please click the same email login link sent to you on each device you use in order to set the cookie.

Q: How can I protect myself from third-party cookie tracking while using the accessibility cookie?
A: Using any privacy or ad-blocking extension that supports domain-level whitelisting (e.g. uBlock Origin) will work as expected: just make sure to whitelist hcaptcha.com.

Browser Instructions for Cross-Site Cookies

Safari
To enable cookies in Safari (Mac): Go to the Safari drop-down menu. Select Preferences. Click Privacy in the top panel. Under 'Block cookies' select the option 'Never.'
To enable cookies in Safari (iPhone/iPad iOS 11+): Open your Settings. Scroll down and select Safari. Under Privacy & Security, turn off "Prevent Cross-Site Tracking" and "Block All Cookies"

Firefox
Click on the shield to the left of the address bar on any webpage. Click on Protection Settings. The Firefox Preferences Privacy & Security panel will open. Under Enhanced Tracking Protection, select Custom. Choose which trackers and scripts to block by selecting those checkboxes. Make sure you have unblocked hcaptcha.com.

You can also temporarily turn off some protections in Custom to debug this, by deselecting the checkboxes: Deselect the Trackers checkbox or deselect the Cookies checkbox if you are still having issues.

Google Chrome
Google Chrome (PC)
Select the Chrome menu icon. Select Settings.
Go to Privacy and Security, then Cookies and other site data.
Make sure "Block third-party cookies" is not enabled.
‍
Google Chrome (Mac):
Open Chrome preferences from the menu bar.
Go to Privacy and Security, then Cookies and other site data.
Make sure "Block third-party cookies" is not enabled.
‍
Google Chrome (Android):
On your Android device, open the Chrome app.
At the top right, tap More and then Settings.
Tap Site Settings and then Cookies.
Next to "Cookies," switch the setting on.
Check the box next to "Allow third-party cookies."

Internet Explorer
1. Select the gear in the upper-right corner of the screen, then select "Internet Options". If you have the Menu Bar enabled, you can select "Tools" then "Internet Options".
2.  Click the "Privacy" tab.
3. Select the "Advanced" button.
4.  Under "Third-party Cookies" choose "Accept".
5. Click "OK"