When we mentioned yesterday that one of the problems with web site CAPTCHA forms is that they aren’t accessible via screen readers for the blind or visually impaired, several readers suggested the ‘audio CAPTCHA’ buttons seen on many sites were an acceptable alternative. Unfortunately that’s not the case, as ACCAN disability policy advisor Wayne Hawkins explained to us.
Waveform picture from Shutterstock
“That’s a common misconception that audio CAPTCHA solves the problem,” Hawkins, who is blind, told Lifehacker. “Whilst one would imagine that would be the answer, those actually often are just as inaccessible.”
The biggest issue with audio CAPTCHA is actually the same as with the visual version: just as it’s often hard to see which individual letters are being used, it’s hard to distinguish individual sounds. “One of the problems with audio CAPTCHA that I’ve found is similar to the visual CAPTCHA: there’s so much noise behind the words that are being spoken you can’t identify what they are,” Hawkins said.
That noise is added to block automated recognition systems, but in this case the cure seems worse than the problem. “I pride myself on being a pretty good listener,” Hawkins said. “Because I’m blind I need to use my hearing in different ways and I find even with that very acute hearing that these audio CAPTCHAs are really difficult to understand.” In one case
A secondary problem is that audio CAPTCHAs often use numbers, but doesn’t distinguish them, so it’s impossible to know if you have to type ‘1’ or ‘one’ or ‘won’.
The solution, as we said yesterday, is to ditch CAPTCHA altogether. Sending a verification email is one solution, though that adds an extra step. Another good alternative is asking site users to solve a simple maths problem — an option that works well with screen readers, Hawkins said.
Comments
8 responses to “Why Audio CAPTCHA Doesn’t Solve Accessibility”
Captcha’s SHOULD be a web dev’s last resort tool. There are many many ways to avoid spam entirely transparently by around 90%.
It’s generally because people want the cheapest option to implement – which is usually to whack a captcha on the form. Or, they try to do it themselves because they want something free.
Don’t hate the technology anyway, which is incredibly good at what they do.. Hate the way people use them.
I really hate it when people make grand claims and provide nothing to back it up.
I have yet to see anything that comes close to CAPTCHAs spam prevention levels and it entirely transparent.
So please enlighten us.
Sure. This definitely seems like the correct place to discuss automatic submission detection in detail. You’re a smart cookie, i’m sure you can do some googling into the various nonce, CSS and JS methodologies – of which there are multiple for each.
Not withstanding the fact that some spam IS entered by users by hand, or using macros with a regular web browser which can be hard to prevent unless you physically change the layout of the form significantly (and the tab order, etc etc), you can get very respectable levels of spam reduction to a level that a simple bayesian filter will catch the rest.
Captcha’s are more for extraordinary circumstances, such as targeted attacks, and personally as a web dev of ~8 years, i’ve never had to use one for longer than 24 hours while investigating attacks. Granted, one or two pieces of spam may get through a day.. But that, vs annoying all the sites users indefinitely seems like a no brainer to me..
Akismet is a great example of this. I get about 10 spam comments a day on my blog, of which 100% are detected and removed. So far I have only had 1 false positive, out of 4051 comments to date, and that was because of the user’s poor English. I don’t use CAPTCHA for anything other than email forms, and even then its rare.
Some sites’ captchas are the bane of my existence. Always hate signing up for something and hoping like hell that the dodgy-ass page they’ve designed will have scripting powerful enough to stand up to the fact that I may need to refresh their captcha a dozen times before I get something even vaguely interpretable. (And ohmygod don’t use foreign language symbols in captchas on an english site, you punks!)
Granted the noise is a problem but there isnt much one can do about that
“impossible to know if you have to type ’1′ or ‘one’ or ‘won’.” – I dont use many audio captchas, but but i dont think any of them pronounce words so if they say “one” you type 1.
Verification email is pointless as that can be automated quite easily, it can only verify the email address existed at the time it was sent. Sure you could have a “Dont click this link it will cancel the request” and a “Click here to validate request” but that will be simple to get around as well.
Simple math problem really wouldn’t be too hard to automate either (compared to OCR), it may need to slightly tweaked for each site but eventually (eg you can even paste “1+1 * 2 =” into windows calc and it’ll spit the answer out, so to scrape the question, parse it and execute it is quite simple.
One he didn’t mention, picking objects out of a group of pictures (eg yellow truck) with object recognition that is going to be pretty simple as well.
Unfortunately to prove you are a human you have to do something computers can’t and that is getting harder and harder as technology gets better and better. Until we can all have a paywave style smart card system, that will validate a non replayable question/answer and have enough encryption to not have predicable answers over millions of questions there will be no easy fool proof way. But then privacy advocates will complain that it will be too trackable.
My mind was once blown away completely by playing an audio captcha late at night, when I was the only one home. It sounds like the devil whispering in your ear lol. Great way to scare someone.
I am partially deaf as well as being totally blind. Most of these audio captchas are impossible for me to understand. There is one other thing that bugs me just as much: poorly coded wedsites that have invisible headers (like in the reply to comments screen for this site). Both issues are of such a prime frustration for me that I usually end up taking my business (and money) elsewhere.
I am in a fight right now with my bank here in the US. They use a flash captcha that displays a question I must answer. Unfortunately, flash is 100% inaccessible to any screen reader or braille device. So, until they get the hint, I am left to spend minutes on my cell plan waiting on hold just to pay bills.
anyway, captchas shouldn’t even be considered for use on sites at all as it can be easily circumvented by hordes of low paid chinese workers whose only job is to solve them and enter them into a database.
Captcha uses a hashing system that’s based on the position and distortion of the characters, not just the letters involved. Solving them and entering them into a database is about as useful as building rainbow tables on SHA1 hashes – that is, next to useless.
Services that employ low-paid workers are usually more direct: you build a script of what you want done before and after the captcha, and they solve it in realtime and your script is automatically executed to handle the rest. That’s not a problem with captcha though – it doesn’t matter what protection system you use, that type of service will always be able to bypass it.
Captcha itself isn’t the problem. The complexity of what’s rendered is a setting that is up to the site owner, and they should be tailoring that setting to suit their customers. The audio version could certainly stand to be improved, but that’s not a reason to throw it out altogether.
Your situation is something of an edge case in terms of accessibility. We’ve made major improvements over the years with semantics (HTML5), colour blindness, full blindness and deafness, but I’m sure you can appreciate that combinations of those things can make it particularly difficult to find a solution that works for everyone. Even most alternatives to captcha being proposed tend to rely on the user being able to see, such as the ‘click the three dogs in these six images’ solution mentioned in the previous article.
Just as a quick aside, there are screen readers that are capable of accessing Flash content. The Flash content also needs to be made to support it. I don’t have a list of readers that support it for you, unfortunately, but one website suggests that JAWS and Window-Eyes at least were able to support Flash integration 10 years ago.
What about using audio the reverse way? Instead of typing in what the captcha says, you speak what it wants you to say. Of course, there are many downfalls, like the fact that speech synthesis is widely available-and free at that. I also think Google’s new mouse click captcha (I don’t know what to call it) is a great option; however, when I use my mobile device, it has to proceed to backup verification because it cant track my mouse. Lastly, isnt this post so ugly?