CAPTCHA
A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security test that distinguishes humans from robots on a website. The problem: most CAPTCHAs rely on vision or hearing, which excludes blind, visually impaired, or cognitively disabled people. Invisible alternatives exist.
You fill out a form, you click "Send"… and a wall of images appears: "Select all traffic lights." For a screen reader user, that wall is invisible. From 14 years of WebAIM surveys, CAPTCHAs remain the #1 accessibility issue reported by screen reader users.
#Why classic CAPTCHAs exclude
The visual CAPTCHA (distorted text, image grids) relies on a single sense: sight. The audio alternative, often offered as a backup, is obscured by noise to resist bots. A deaf-blind person or someone with cognitive disabilities has no option.
The W3C has documented this since 2005: any interactive CAPTCHA inherently excludes certain disabled users. reCAPTCHA v2 (the "I'm not a robot" checkbox) triggers an image test if in doubt, and its audio remains hard to understand even for hearing people. Many of these interfaces are not keyboard navigable.
#What the standards say
WCAG criterion 1.1.1 (level A) provides a specific case for CAPTCHAs: the text alternative must identify the nature of the test and describe its purpose, without solving it. The RGAA devotes two criteria to this: criterion 1.4 requires a text alternative describing the nature of the CAPTCHA, criterion 1.5 mandates an alternative access solution.
A visual CAPTCHA alone, without an alternative, is non-compliant.
#Alternatives that work
Three approaches require no visual or audio interaction:
- Honeypot: a form field hidden with CSS. Humans don't see it. Bots fill it.
- Behavioral scoring (reCAPTCHA v3, Cloudflare Turnstile): analyzes mouse movement and typing rhythm in the background. No puzzle to solve.
- Proof of work: the browser performs a cryptographic calculation invisible to the user.
<!-- Honeypot: field invisible to humans -->
<div style="display: none;" aria-hidden="true">
<label for="website">Do not fill</label>
<input type="text" id="website" name="website" tabindex="-1" autocomplete="off">
</div>Honeypot alone is not enough against sophisticated bots. Combine it with server-side rate limiting for solid protection without a visible CAPTCHA.
#In summary
If your form needs bot protection, favor invisible solutions. Your users should not have to prove they are human by completing a task they cannot accomplish.