hCaptcha is unaccessible, why claim otherwise?

CloudFlare has recently put out a blog post explaining its movement to a new CAPTCHA service, reCAPTCHA: https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/
In it I saw this text referring to hCaptcha: “3) it has a robust solution for visually impaired and other users with accessibility challenges”
This is false and I’m confused as to why this is written here.

As a demonstration, load up this page on your browser: https://www.google.com/recaptcha/api2/demo
Using a screen reader and only keyboard input I can:

  • Find a checkbox saying ‘I’m not a robot’
  • Press space to open the dialog and find ‘get an audio challenge’ is selected already
  • Press space to listen to an audio CAPTCHA
  • Tab and enter the text or tab more to get a new CAPTCHA
  • Alternatively use tab to select images of bicycles
  • While this dialog is open, tabbing does not leave it
  • Succeed after a few times and get the checkbox ticked
  • Hit the ‘Submit’ button successfuly

There’s an info button. If I click it it gives me information explaining how to solve the CAPTCHA and a link to learn more. Clicking it opens the link in a new tab.

With hCAPTCHA, load up this page: https://www.hcaptcha.com/
Using only keyboard input I can:

  • Find a checkbox saying ‘I am human’
  • Press space and have the dialog pop up
  • Be unable to focus it using just the keyboard
  • I can’t solve the CAPTCHA unless I have a mouse or pointing device
    With using a screen reader I can:
  • Find a checkbox saying ‘I am human’
  • Press space and have the dialog pop up
  • Be unable to focus it using the tab key
  • Be able to browse it by using the arrow keys in screen reader browse mode
  • Hear a lot of ‘clickables’
  • Moving around gives me the option ‘Please click each image containing a bus’
  • Moving around gives the ‘skip’ option
  • I cannot use solve the CAPTCHA

With my eyes and functioning limbs I can click the info button to get accessibility options, but Firefox blocks it from opening as it detects it as a pop-up window.

Opening the accessibility options link shows a block of text with a low contrast almost hidden link titled ‘this URL’ which will let me sign up to hCAPTCHA. This page is separate to the regular signup page as it does not require a CAPTCHA. The main signup page is inaccessible.

With using a screen reader and keyboard I can:

  • Load the page
  • Get told the page is about page maintenance. Nothing on the page visible is read out out loud
  • The window title is ‘hCaptcha’. I would assume this was a server error if I was blind
  • Up/down in browse mode does not tell me anything more is on the page
  • Hitting tab tells me ‘Email entry’
  • Hitting tab tells me say ‘Country/Region Entry’
  • I’m not informed about the list I can cycle through using up or down
  • Hitting submit announces nothing and I cannot read the ‘Please complete the form text.’
  • I still have no idea or incentive to even do any of this because I’m never told the text ‘Sign Up’

I do want to note at this point that this page is slow, leading the page to not talk sometimes or for the Country/Region Entry to not work at all. You have to wait 10 seconds for the ‘Country/Region Entry’ box to declare itself on my Thinkpad T400 so the first few times I tabbed past it without even knowing it was accessible. Sometimes the page just showing ‘Still Loading’ for 30 seconds then not announce anything on the page. Then after writing all that the page suddenly became screen readable aside from the ‘Please complete the form text.’ Sometimes if I used browse mode and moved the wrong way the dropdown would show up but it wouldn’t let me select stuff. This simple web form is horrendously broken.

After doing all that I received an email giving me a link I should click if I get CAPTCHAs. I click it and can use the keyboard to click ‘set cookie’. Finally I go to https://hcaptcha.com/ and I can check the checkbox!

But if I use another browser or device I have to set the cookie in each device and keep doing this when it stops working.
If one of these doesn’t let me set cookies or use other URLs (I’m imagining a phone app) then I can’t pass the CAPTCHA.
If one of these blocks third party cookies for privacy/tracking reasons then I can’t pass the CAPTCHA on other sites.
If I use Tor Browser or any browser that isolates third party cookies then I can’t pass the CAPTCHA on the other sites.

The solution CloudFlare has chosen doesn’t work, is not robust, and removes the ability for disabled people to use the Internet. It’s a step down from reCAPTCHA and it’s shameful that a company would implement this knowing it’s inaccessible (or failed to do a 5 minute test to see if it was accessible using even just the keyboard) then push unsubstantiated claims on their blog post introducing this new anti-feature.

Hi there,

We link directly to the accessibility signup page in many places, but appreciate your suggestions.

As a practical matter, Google disables accessibility options entirely if your IP/traffic looks at all suspicious; this is in fact a much more robust solution.

In all the time we have supported this accessibility option that we have seen a steady stream of registrations (approximately proportional in number to the percentage of the population we’d expect) and received only a handful of support requests from visually impaired or otherwise disabled users, implying the approach we took does in general work for them.

1 Like

I don’t think that’s an acceptable response. Your CAPTCHA requires people to sign up to your service because you haven’t implemented proper keyboard support and it’s unclear that there even are accessibility options that can be used to sign up from the CAPTCHA itself. You can’t even tell it’s a hCaptcha from a screen reader unless you click the Privacy/Terms button which is very similiar to reCAPTCHA

Hi jookia,

So to summarize your suggestions:

  1. review iframe tags to make sure it’s really obvious that this is a captcha
  2. improve contrast/placement of signup link on accessibility page
  3. change title of accessibility signup link to be more descriptive
  4. review screen reader interaction paths on challenge (but note that our goal is to get that accessibility user into the accessibility flow, not to optimize for a screen reader picking bicycles; the majority of this user population will not benefit from that.)

These all sound reasonable. Did I miss anything?

4 Likes

I think those are accurate suggestions based on what I’ve complained about (and thanks for listening). I didn’t meant to give any concrete suggestions, but if you’re interested here they are:

  1. Test and ensure hCaptcha works with only keyboard use for people that can’t use pointing devices yet can still see things. You shouldn’t need any extra tools for this.
  2. Test and ensure hCaptcha can be navigated using a screen reader like NVDA on Windows or Orca on Linux. You don’t need to learn any fancy keybindings, just do what you do in case 1 and listen instead of looking at the screen. Beware that screen readers intercept browser keypresses for navigation as ‘browse mode’ so you will need compensate for this with accessibility tags.

Any changes should flow naturally from that. WCAG guidelines and for custom widgets like the CAPTCHA box you will need to annotate your elements with ARIA roles to aid in focusing and having the screen reader understand what things are like drop down boxes.

Explaining to the user the how the accessibility system works too, specifically with third party cookies. Browsers right now seem to be okay with them but there’s a trend to go more towards privacy cross-site cookies are seen as tracking and isolated or disabled in some browsers or by privacy conscious people. Having some indicator to people that cookies are working even if the token is expired would be helpful instead of just having another CAPTCHA.

I see that hCAPTCHA supports Privacy Pass. When it works on my browser it fixes this third party cookie issue when I solve a CAPTCHA as it doesn’t use cookies. Maybe this could be used as well as third-party cookies for giving disabled people cookies.

OK, appreciate the suggestions. We’ve pushed out updates for #2-3 in my previous list, and scheduled some time in the current sprint to review the screen reader experience again and see what else to update.

Using Privacy Pass for accessibility is indeed something we’ve been thinking about for a while. Native browser support is likely coming, but we decided that asking accessibility users to install a browser extension was too much work compared to the “click email link, click Set Cookie” flow.

1 Like

I’m very glad to hear this and I hope to look forward to hearing more about updates to accessibility regarding hCaptcha in the future. After what you’ve told me regarding more robust accessibility, I’m starting to agree given that your solution should in theory work for deafblind folks since it skips solving CAPTCHAs at all. Thank you for your time.

This thread was (is?) going to automatically close in 2 days, so I thought it might be time for a status update. All of my complaints have been fixed

I’m surprised at how accessible it is now. Not only is it completely navigable by keyboard every element reads properly to a screen reader. On top of that the interface hints about accessibility options on certain links. Furthermore the sign up interface is MUCH more understandable and asks for less information when signing up (just an email now!) It explains cookies to you and some common browser issues too. That’s above and beyond and I’m really impressed and grateful.

I do have a few major issues:

  • The CAPTCHA popup closes if you don’t give it input. It’s annoying and doesn’t seem to serve much purpose?
  • It’s unclear how to close the CAPTCHA menu. There’s no exit button, and I’m not informed you can close it by pressing ESC. People using only keyboard navigation may get be unable to close it
  • The focus element upon opening is the first CAPTCHA selectable element. You have to tab a lot before you can find/hear the info menu. Maybe it would be good to mimic’s reCAPTCHA’s setup where it focuses you on ‘audio challenge’ but instead it could be ‘accessibility options’ that just links you to the page without having to go through the info menu
  • The info dialog’s info text sometimes doesn’t speak to the screen reader or the hcaptcha.com link
  • The info dialog’s feedback menu doesn’t explain what the options are
  • The info dialog’s feedback checkboxes don’t show any indication of focus

I have some minor issues too:

  • The middle hCaptcha logo at the bottom of the CAPTCHA is unselectable even though you can select it with a mouse. I’m not sure if this is an issue?
  • The info dialog has a focusable empty line after tabbing past the close button
  • The info dialog’s X button focus highlight/ring is very difficult to see
  • The info dialog lets you focus the info text and the ‘Having a problem’ text even though they aren’t clickable
  • The info dialog’s feedback lets you focus the entire thing but selecting it just selects the ‘Too difficult’ checkbox

But to stress, it is now possible to use the CAPTCHA with a keyboard and/or a screen reader. And it’s also extremely good to know that hCaptcha cares about accessibility and has shown this by fixing accessibility bugs. Thank you!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.