hCaptcha is designed to stop bots by distinguishing them from people. Visual tests are a convenient tool for this, but not everyone can solve a visual challenge. For this reason we have designed a simple, painless alternative to let publishers using our service preserve accessibility for all with full Section 508 and WCAG 2.0 compliance.
How it works: first, an accessibility user signs up at this URL, which is linked in the hCaptcha widget info page. They are given an encrypted cookie that can be used several times per day, but must be refreshed every 24 hours via login.
When a challenge is presented to an accessibility user on any site using the hCaptcha service, they will automatically pass.
Q: Is hCaptcha Section 508 + WCAG 2.0 compliant?
A: We believe so: all users with any form of impairment who are able to browse the web and enter text on forms can access services protected by hCaptcha upon registration. However, this is not legal advice: you should perform your own evaluation, taking into consideration your particular implementation to ensure this is the case for your deployment.
Q: Are you working on other accessibility ("a11y") options, like audio?
A: Previously popular options like audio captchas discriminate against many a11y users and are easily defeated by modern machine learning techniques. This has forced current audio challenges to become more and more difficult, introducing noise, odd timing, unusual word combinations, and so on to defeat attackers. We are thus less enthusiastic about this approach vs. avoiding the challenge altogether, but will consider it if there is demand from the a11y community.
However, we are very interested in Privacy Pass for the Accessibility use case. We believe combining our current a11y approach with Privacy Pass issuance will allow a11y users to browse safely, secure in the knowledge that their traffic is more private, while restricting the abuse by bot operators that inevitably occurs when a11y options are available. We are active participants in the IETF working group standardizing this new technology.
Q: What about privacy? Does registration expose a11y browsing data in some way? What do you do with the email?
A: hCaptcha is designed for privacy from the ground up. It is very different than traditional options like reCAPTCHA that are owned by ad networks, who have an incentive to track you around the web and associate you with a real identity.
We are also currently working on a cryptographic solution to rapidly discard your email address while still preserving our ability to prevent abuse, complementing our Privacy Pass work.
For Accessibility Users: Q&A and Troubleshooting Guide
Q: I'm still seeing a challenge after setting the cookie. What's causing this?
A: This is typically due to using an aggressive ad blocker or anti-cookie extension, or a setting that blocks "cross-site" cookies, in this case a cookie for hcaptcha.com that is set or checked by the hCaptcha JS on a different site, like the one you are visiting.
hCaptcha accessibility cookies work with all popular browsers and ad blockers with their standard settings, so typically failures are due to "anti-anti-adblock" scripts or similar rulesets targeting particular sites.
1. Whitelist hcaptcha.com and *.hcaptcha.com cookies in your ad blocker or browser security extension.
2. If you are using the Brave browser, which does not (as of April 2020) appear to have any kind of cookie whitelist, go to Preferences -> Shields -> Cookies and choose "Allow All Cookies."
3. If you are using the very latest version of Safari on either the recently released OS X 10.15 or iOS 13.4, Apple has just changed the behavior of Safari related to third-party cookies, blocking all of them by default. We are implementing a solution, but in the meantime please visit Safari Preferences, Privacy section, and uncheck "Website tracking: Prevent cross-site tracking" to enable the accessibility cookie to function as expected.
Q: I use multiple devices. Do I need to sign up multiple times?
A: No. Please click the same email login link sent to you on each device you use in order to set the cookie.