A Brief History of CAPTCHA
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It was introduced in the early 2000s by Luis von Ahn and team, initially to protect web services from spam. Soon after, von Ahn realised the absolute waste of human hours and the technology was also adapted to digitise books via crowdsourced transcription.
Early CAPTCHAs relied on visual distortions of text. These were difficult for bots to solve, but also inaccessible to people with visual or cognitive impairments. An audio alternative was added shortly after but quality and usability remained poor.
In 2007, Google acquired and rebranded the technology as reCAPTCHA. Though it reduced distortion, it still lacked meaningful accessibility support.
Then came a new wave:
- reCAPTCHA v2 (2014) introduced the now-familiar "I'm not a robot" checkbox and image grid fallback.
- reCAPTCHA v3 (2018) took a different approach, scoring user "humanness" based on behaviour, mouse movements, and other contextual signals. These systems often work without user interaction.
While technically impressive, these solutions brought a new set of concerns: profiling, user tracking, and deeper gaps in accessibility.
Types of CAPTCHA and Accessibility Issues
Visual CAPTCHAs
Visual CAPTCHAs, including distorted text or image grids, present major barriers:
- Inaccessible to users with low vision or blindness.
- Difficult for people with dyslexia, motor impairments, or cognitive conditions.
- Often confusing or frustrating even for non-disabled users.
Audio CAPTCHAs
Audio CAPTCHAs were created to address the barriers mentioned, but:
- They are often distorted or low quality.
- They may require matching to visual elements (defeating the purpose).
- They're still difficult for users with hearing loss or cognitive impairments.
Behavioural CAPTCHAs
Behavioural systems like reCAPTCHA v3 or Arkose's dynamic challenges attempt to detect bots by how users behave. However:
- Assistive tech often mimics bot-like interactions (keyboard-only, timed steps).
- Users may be incorrectly scored as suspicious.
- There is often no fallback when a low "human score" is detected.
Evaluating CAPTCHA Systems: A New Framework
To move beyond anecdotal critique, we've created a simple grading framework, assessing CAPTCHA systems across six dimensions:
Table 1: CAPTCHA Evaluation Criteria
| Criteria | Focus |
|---|---|
| Perceivable | Can all users detect or sense the challenge (e.g. visually, audibly, tactilely)? |
| Operable | Can it be used with various inputs (keyboard, switch device, voice)? |
| Understandable | Are instructions clear and cognitively accessible? |
| Robust | Does it work reliably across assistive tech, browsers, and platforms? |
| Privacy | Does it avoid unnecessary tracking or data collection? |
| User Experience Impact | Does it add friction or interrupt user flow? |
Table 2: CAPTCHA System Comparison
Note: the table may be too wide when displayed on smaller screens, ensure you scroll horizontally to see the full outcome.
| CAPTCHA System | Final Grade | Perceivable | Operable | Understandable | Robust | Privacy | UX Impact |
|---|---|---|---|---|---|---|---|
| Traditional CAPTCHA (text/image) | F+ | Not accessible | Not accessible | Not accessible | Accessible | Not accessible | Not accessible |
| reCAPTCHA v2 (checkbox + images) | E | Partial | Partial | Not accessible | Not accessible | Not accessible | Partial |
| Arkose Labs (cognitive puzzles) | E | Partial | Not accessible | Not accessible | ✅ | Not accessible | Not accessible |
| hCaptcha (image-based, optional a11y config) | C | Accessible | Partial | ❌ | Accessible | ❌ | Accessible |
| reCAPTCHA v3 (invisible scoring) | B | Accessible | Accessible | Partial | ❌ | Accessible | Accessible |
| Honeypot fields (hidden fields for bots) | A | Accessible | Accessible | Accessible | Accessible | Partial | Accessible |
| Cloudflare Turnstile (lightweight, invisible) | A+ | Accessible | Accessible | Accessible | Accessible | Accessible | Accessible |
Recommendations
It's time to raise the bar for authentication tools. Security and accessibility are not mutually exclusive. Systems like Cloudflare Turnstile and honeypots demonstrate that it's possible to protect user forms while keeping the experience inclusive and privacy-respecting.
If an invisible behavioural system is required, reCAPTCHA v3 - despite its privacy concerns - performs significantly better in accessibility than image-based solutions.
But for those prioritising inclusive design, Turnstile and honeypots stand out as clear choices.
It's also worth acknowledging the rapid pace of AI advancement. Many visual or logic-based CAPTCHA systems are increasingly ineffective, often bypassed by the very bots they aim to stop.
CAPTCHAs shouldn't be the gatekeepers of the web. The goal of security isn't just to keep bots out but also to keep humans in. That includes humans using screen readers, switch devices, voice navigation, or needing a bit more time to process a challenge. If you've decided these users should be locked out, it sends a clear message.
As we build tools to protect digital spaces, let's ensure we aren't locking people out in the process.
Looking to replace your CAPTCHA with something better? Why not get in contact and have a chat, or sign up for the A11Y Boost newsletter for future recommendations and insights.
Stay Updated
Subscribe to our newsletter for the latest accessibility tips and updates. We promise to not annoy you; we'll only send the important things.