CAPTCHA


A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security test that distinguishes humans from robots on a website. The problem: most CAPTCHAs rely on vision or hearing, which excludes blind, visually impaired, or cognitively disabled people. Invisible alternatives exist.


You fill out a form, you click "Send"… and a wall of images appears: "Select all traffic lights." For a screen reader user, that wall is invisible. From 14 years of WebAIM surveys, CAPTCHAs remain the #1 accessibility issue reported by screen reader users.

#Why classic CAPTCHAs exclude

The visual CAPTCHA (distorted text, image grids) relies on a single sense: sight. The audio alternative, often offered as a backup, is obscured by noise to resist bots. A deaf-blind person or someone with cognitive disabilities has no option.

The W3C has documented this since 2005: any interactive CAPTCHA inherently excludes certain disabled users. reCAPTCHA v2 (the "I'm not a robot" checkbox) triggers an image test if in doubt, and its audio remains hard to understand even for hearing people. Many of these interfaces are not keyboard navigable.

#What the standards say

WCAG criterion 1.1.1 (level A) provides a specific case for CAPTCHAs: the text alternative must identify the nature of the test and describe its purpose, without solving it. The RGAA devotes two criteria to this: criterion 1.4 requires a text alternative describing the nature of the CAPTCHA, criterion 1.5 mandates an alternative access solution.

A visual CAPTCHA alone, without an alternative, is non-compliant.

#Alternatives that work

Three approaches require no visual or audio interaction:

  • Honeypot: a form field hidden with CSS. Humans don't see it. Bots fill it.
  • Behavioral scoring (reCAPTCHA v3, Cloudflare Turnstile): analyzes mouse movement and typing rhythm in the background. No puzzle to solve.
  • Proof of work: the browser performs a cryptographic calculation invisible to the user.
<!-- Honeypot: field invisible to humans -->
<div style="display: none;" aria-hidden="true">
  <label for="website">Do not fill</label>
  <input type="text" id="website" name="website" tabindex="-1" autocomplete="off">
</div>

Honeypot alone is not enough against sophisticated bots. Combine it with server-side rate limiting for solid protection without a visible CAPTCHA.

#In summary

If your form needs bot protection, favor invisible solutions. Your users should not have to prove they are human by completing a task they cannot accomplish.

Share this article

Learn more