This documents summarizes findings of the Research Questions Task Force that are intended to inform revision of the W3C Working Group note: Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web. All references in this document to sections apply to the 23 November 2005 Working Group Note.
Current CAPTCHA methods that rely primarily on text-based or image-based problems can be largely cracked using both complex and simple computer algorithms. Research suggests that approximately 20% of traditional CAPTCHAs can be broken using OCR algorithms (Hernández‐Castro, C. J., Barrero, D. F., & R‐Moreno, M. D., 2016)(Li, Q., 2015). In addition, pattern-matching algorithms in some instances can achieve an even higher success rate of cracking CAPTCHAs (Yan, J., & El Ahmad, A. S., 2009)(Sano, S., Otsuka, T., Itoyama, K., & Okuno, H. G., 2015). While efforts are being made to strengthen traditional CAPTCHA security, more robust security solutions run the risk of reducing the abilities for typical users to understand the CATPCHA that needs to be resolved (Nakaguro, Y., Dailey, M. N., Marukatat, S., & Makhanov, S. S., 2013).
In addition, there is currently a dominant assumption that all web users can understand the English character set, which is not the case. Examples such as Arabic and Thai demonstrate the barriers associated with CAPTCHAs based on written English and related language character sets (Tangmanee, C., 2016).
The common CAPTCHA technique of requiring the user to recognize distorted text has been found to be less reliably solved by users with learning disabilities (Gafni & Nagar).
Although auditory forms of CAPTCHA that present distorted speech create recognition difficulties for screen reader users, the accuracy with which such users can complete the CAPTCHA tasks is increased if the user interface is carefully designed to prevent screen reader audio and CAPTCHA audio from being intermixed. This can be achieved by implementing functions for controlling the audio that do not require the user to move focus away from the text response field (Bigham, J. P., & Cavender, A. C. 2009).
Experiments with a combined auditory and visual CAPTCHA requiring users to identify well known objects by recognizing either images or sounds, suggest that this technique is highly usable by screen reader users. However, its security-related properties remain to be explored (Sauer, G., Lazar, J., Hochheiser, H., & Feng, J. 2010). Furthermore, it is entirely inaccessible to users who are deaf-blind.
Anecdotal evidence suggests that the Google captcha which requires users to tick a box stating ‘I am not a robot’ is currently the most accessible CAPTCHA solution and can be completed with a variety of assistive technologies. However, there is little formalised research investigating if this is indeed the case. RQTF recommends that additional research is conducted to verify the accessibility of this solution. There is also the additional concern that the inability of completing the reCATPCHA tends to default back to a traditional inaccessible CAPTCHA.
The user of multiple devices such as a computer, smartphone, tablet and/or wearable could provide additional support for user authentication. This could assist in addressing accessibility issues by using assistive technologies on each device to confirm the user is a human and is a specific user (Cetin, C., 2015).
Some emerging CAPTCHA processes use video in which users can visually identify elements and respond in text. This poses some accessibility issues for users that cannot visually identify the elements contained in video (Catuogno, L., & Galdi, C., 2014) (Kluever, K., 2008)
There are a number of new techniques based on the identification of still images. This can include identifying whether an image is a man or a woman, or whether an image is human-shaped or avatar-shaped among other comparison solutions (Conti, M., Guarisco, C., & Spolaor, R., 2015)( Kim, J., Kim, S., Yang, J., Ryu, J.-h., & Wohn, K., 2014)( Korayem, M., 2015).
While alternative audio comparison CAPTCHAs could be provided such as using similar or different tones for comparison, the reliance on visual comparison alone would be difficult for people with vision-related disabilities
This process suggests the completion of a basic video game as a CAPTCHA. The benefits include the removal of language barriers, and multiple interface methods could potentially make such a solution accessible (Yang, T.-I., Koong, C.-S., & Tseng, C.-C., 2015). It would also have the benefit of making CAPCHAs an enjoyable process, reducing the frustrations generally associated with traditional CAPTCHAs.
A 3D representation of letters and numbers can make it more difficult for OCR software to identify, in turn making it more secure (Nguyen, V. D., Chow, Y.-W., & Susilo, W., 2014). However this solution has similar accessibility issues to traditional CPATCHas.
We recommend further exploration of the use of risk analysis techniques (as exemplified by the approach that Google have taken) to reduce the need for CAPTCHA.
[Continuous authentication and risk analysis engines could be mentioned here.]
[Suggest updating discussion of federated identity, but we don't have research on this point. Add discussion of biometrics accessibility and E.U./U.S. government requirements to section 3.5.3. Explain the growing popularity of dual-factor authentication and how it might assist with the CAPTCHA problem (is it an instance of federated identity in this context - that is, when accessing a new Web site for the first time?).]