Content:

CAPTCHA: How to do it right (ie. don’t use CAPTCHA)

Not convinced that CAPTCHAs are inaccessible? Read Part 1 – CAPTCHAs: Inaccessible to everyone.

Although WCAG2 does allow for CAPTCHAs, there are much more accessible alternatives, such as:

  • Human test question
  • Honeypot traps
  • Server-side spam filters and server-side validation
  • Time-stamp your forms

Human test question

Human test questions consist of a simple question and a free text field where the user must input the correct answer. Example human test questions are:

  • Is fire hot or cold?
  • Is grass green or purple?
  • Is the ocean blue or orange?

You can either have radio buttons and checkboxes with multiple options, or you can even get people to type in the right answer.

Honeypot trap

Honeypot traps are fields that must be left blank; otherwise the form is not submitted. These are hidden fields that most users will never see. The one type of user that can access these fields are screen reader users so it is important that the honeypot field is coded using LABEL FOR and ID with an informative field label such as “Please leave this field blank.”

Server-side spam filters and server-side validation

I’m not very technical and my limited technical knowledge is restricted to front-end technologies such as HTML, CSS and JavaScript, but I have it on good authority that it is possible – nay, even preferable! – to run server-side spam filters or run validation instead of implementing a client-side solution like a CAPTCHA, human test question or honeypot traps. Craig Buckley has written a great article on dealing with spam server-side.

The confirmation page

Luckily this also meets a Level AA requirement for user-controllable data, legal and financial transactions! Provide a confirmation screen that says “Here is your information. Are you happy to submit this?”. This additional step in the form will stop most spambots. And it’s one less AA requirement you need to think about (it’s Success Criterion 3.3.4: Error prevention  (Legal, Financial, Data)).

Time-stamp your forms

Now I mentioned I’m not very technical, so I’ll leave it to you to figure out how, but basically timestamp your form when it is loaded and then compare this time with the time the form is submitted. If it’s less than five seconds then you’re probably looking at a spambot filling out the form.

Other possible solutions

Then there are really serious solutions like sending an SMS to verify you are human or requiring authentication through a third party system such as Facebook.