March 23, 2021
Accessibility online is an important topic, and one we think about daily at hCaptcha.
With careful design and the latest improvements in assistive technology, almost every online resource can be made accessible to anyone with any kind of impairment.
However, our job at hCaptcha is to reduce automated attacks and bad actors. One of the tools we offer for online services to use in managing attacks and abuse is a humanity verification question. This creates unique challenges for accessibility.
Adding any kind of additional step to prevent abuse requires balancing security, usability and privacy. This means the simple tasks we ask users to solve are often visual in nature, as visual challenges remain one of the best options for posing questions that are simple for people but hard for machines.
Legacy CAPTCHA providers have sometimes offered audio challenges as well, but in 2022 those approaches offer minimal security: software can often solve an audio challenge as well as a person, and a screen reader or voice control user may look quite “bot-like” when entering the answer. Google’s approach to this issue is to disable audio challenges entirely if the user or subnet looks suspicious, which is not much of a solution.
In addition, these kinds of challenges entirely block people with many kinds of impairments: those who are deaf and blind, those with auditory processing or other cognitive issues, and so on.
We wanted to do something better. This is why we came up with a more universal approach to the problem: an accessibility authentication token. It acts exactly like any other two-factor authentication token, sending an email link that allows the user to bypass the challenge entirely.
This was initially implemented with an authentication cookie for simplicity of user experience, and we have gotten positive feedback on this feature from across the wider accessibility community, especially the many vision-impaired users who struggled with Google’s audio challenges.
We also developed robust models for detecting fraudulent emails and accessibility session patterns over the years, and this allows us to limit abuse of the system without needing to track anyone, while still providing a quick and low effort experience for most accessibility users.
However, that flow still requires an email address. We are not interested in tracking people’s online activity and have no incentive to do so: we don’t run an ad network. Even though we discard all data in our system quite rapidly, getting a cryptographic guarantee of privacy is even better.
As we are quite focused on online privacy, we have been working hard to bring Privacy Pass support to the accessibility use case. hCaptcha is the first online human verification service to support Privacy Pass, and as it goes through the IETF standardization process we are working with browser vendors and others in the ecosystem to ensure it is natively integrated to provide a zero friction experience.
Privacy Pass wallet in browser.
In parallel, we are also working on text-based challenges to provide an in-session alternative that most people will be able to solve easily, with no email link or similar authentication step required.
This is a large project and a difficult feature to get right: we support 110 languages and hundreds of countries, meaning that questions and answers must either be straightforward and consistent across all of them, or be customized to the nuances of language and culture.
However, we have made good progress on this, and the feature is now available for all Enterprise customers to enable at their discretion.
We have already seen good feedback from users, and are continuing to tune this feature as it rolls out to more and more sites. This allows us to avoid ever having any information outside of the challenge flow while supporting an accessible experience for users who could not otherwise be accommodated, which is our ultimate goal.
Example of an accessible text-based challenge. Dialog box: "What object can give the time?" Answer entered in text field: clock.
No solution will ever be perfect, but we look forward to continuing to improve options and working with the wider accessibility community on preventing online abuse while maintaining access for everyone.
