Accessibility at hCaptcha: Current and Future Plans

hCaptcha
3 min readMar 24, 2021

--

This post discusses our ongoing work to improve the accessibility experience at hCaptcha via two major initiatives: Privacy Pass for accessibility, and text-based challenges.

Accessibility online is an important topic, and one we think about daily at hCaptcha.

With careful design and the latest improvements in assistive technology, almost every online resource can be made accessible to anyone with any kind of impairment.

However, our job at hCaptcha is to reduce automated attacks and bad actors. One of the tools we offer for online services to use in managing attacks and abuse is a humanity verification question. This creates unique challenges for accessibility.

Adding any kind of additional step to prevent abuse requires balancing security, usability and privacy. This means the simple tasks we ask users to solve are often visual in nature, as visual challenges remain one of the best options for posing questions that are simple for people but hard for machines.

Legacy CAPTCHA providers have sometimes offered audio challenges as well, but in 2021 those approaches offer minimal security: software can often solve an audio challenge as well as a person, and a screen reader or voice control user may look quite “bot-like” when entering the answer. Google’s approach to this issue is to disable audio challenges entirely if the user or subnet looks suspicious, which is not much of a solution.

In addition, these kinds of challenges entirely block people with many kinds of impairments: those who are deaf and blind, those with auditory processing or other cognitive issues, and so on.

We wanted to do something better. This is why we came up with a more universal approach to the problem: an accessibility authentication token. It acts exactly like any other two-factor authentication token, sending an email link that allows the user to bypass the challenge entirely.

This was initially implemented with an authentication cookie for simplicity of user experience, and we have gotten positive feedback on this feature from across the wider accessibility community, especially the many vision-impaired users who struggled with Google’s audio challenges.

We also developed robust models for detecting fraudulent emails and accessibility session patterns over the years, and this allows us to limit abuse of the system without needing to track anyone, while still providing a quick and low effort experience for most accessibility users.

However, that flow still requires an email address. We’re not interested in tracking people’s online activity and have no incentive to do so: we don’t run an ad network. Even though we discard all data in our system quite rapidly, getting a cryptographic guarantee of privacy is even better.

Bringing Privacy Pass to Accessibility

As we are quite focused on online privacy, we have been working hard to bring Privacy Pass support to the accessibility use case. hCaptcha is the first online humanity verification service to support Privacy Pass, and as it goes through the IETF standardization process we are working with browser vendors and others in the ecosystem to ensure it is natively integrated to provide a zero friction experience.

Privacy Pass wallet in browser.

Text-Based Challenges

In parallel, we are also working on text-based challenges to provide an in-session alternative that most people will be able to solve easily, with no email link or similar authentication step required.

This is a large project and a difficult feature to get right: we support 110 languages and hundreds of countries, meaning that questions and answers must either be straightforward and consistent across all of them, or be customized to the culture.

However, once live this feature will allow us to avoid ever having any information outside of the challenge flow while supporting the accessibility experience for many accessibility users, which is our ultimate goal.

Example of an accessible text-based challenge.

We are currently developing and beta testing these features, and expect to release at least one and likely both of these options for wider use this year.

No solution will ever be perfect, but we look forward to continuing to improve options and working with the wider accessibility community on preventing online abuse while maintaining access for everyone.

--

--