Perhaps the most loathed of all Internet security measures, a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) attempts to weed out bots from legitimate users by presenting a test that is easy for a human, but difficult or impossible for a computer.
CAPTCHAs are a nice idea in theory. They’re meant to keep spam comments at bay and prevent bots from harvesting email addresses. They’re also very commonplace; according to Luis von Ahn, one of the creators of CAPTCHA, about 200 million CAPTCHAs are completed every day. But they present some serious user experience problems. We tested the CAPTCHA experience with our panel, and here’s what we learned.
2. Have you ever filled out a form on
a website, and been faced with
something like what is shown in
the following video?
Introduction
3. Introduction
Perhaps the most loathed of all Internet security measures,
a CAPTCHA attempts to weed out bots from legitimate
users by presenting a test that is easy for a human, but
difficult or impossible for a computer.
What does CAPTCHA stand for?
Completely Automated Public Turing test
to tell Computers and Humans Apart
4. Introduction
CAPTCHAs are a nice idea in theory. They’re meant to
keep spam comments at bay and prevent bots from
harvesting email addresses.
They’re also very commonplace; according to Luis von
Ahn, one of the creators of CAPTCHA, about 200 million
CAPTCHAs are completed every day.
5. Introduction
But CAPTCHAs present some serious user experience
problems. We tested the CAPTCHA experience with our
panel, and here’s what we learned:
8. They put one extra, irritating step between users and
the tasks they want to accomplish. Plus, even the
better versions can be difficult to read.
3 UX Problems
9. ReCAPTCHA is one of the more usable and respected
CAPTCHA generators out there. With ReCAPTCHA,
users decipher scanned images of text from old books,
allowing the books to become digitized.
3 UX Problems
10. The advantage to the user is that the text is made
of actual words, not random strings of numbers and
letters.
3 UX Problems
Hard-to-read text can cause errors and slow you down even further.
12. 3 UX Problems
This brings up the second major usability problem:
CAPTCHAs are excessively difficult for people with
visual disabilities. Some offer audio alternatives, but
those are often even harder to decipher (and pretty
scary-sounding!)
14. Beyond the usability and accessibility concerns, there’s
a disturbing flaw at the core of the whole thing.
3 UX Problems
15. The fundamental problem is that CAPTCHAs force
humans to complete undesirable tasks because of
issues that are beyond their control — and not their
fault.
3 UX Problems
19. Because completing CAPTCHAs is so unpalatable,
several more user-friendly alternatives have popped up.
Some of these, like PlayThru and Sweet Captcha,
gamify the process of proving you’re a human.
Alternatives:
Easy/Fun tests
PlayThru Sweet Captcha
20. While playing an easy game is more
enjoyable than entering a string of text,
the games are generally not accessible
to users with visual impairments.
If an option is available at all for
visually-impaired users, it’s the scary,
difficult audio CAPTCHA from before.
Alternatives:
Easy/Fun tests
21. What’s more, users are so accustomed to completing
normal CAPTCHAs, gamified alternatives can be seen
as annoying or juvenile.
Alternatives:
Easy/Fun tests
22. I feel like it makes it look
unprofessional. Maybe if it were a
kids’ site, you might need animated
CAPTCHA, but if anything, it’s more of
a pain in the butt.
– Raquelmelody, United States
Member of UserTesting panel
Alternatives:
Easy/Fun tests
23. Other alternatives are Text CAPTCHA and Egglue,
which ask simple questions humans can answer using
logic or intuition rather than pattern recognition alone.
Egglue uses logic questions rather than images to verify humanity.
Alternatives:
Easy/Fun tests
24. NuCaptcha uses behavior analysis to assess each
visitor’s risk level. Then it assigns easy or difficult
CAPTCHAs based on how likely it is that the visitor is
a bot. Visitors who behave like humans are given very
easy tests to complete.
NuCaptcha also offers many different themes to match your site
Alternatives:
Easy/Fun tests
25. The downside of these options is that they still
disrupt the user’s workflow. While they might be less
frustrating, they still create a barrier between the user
and their goal.
Alternatives:
Easy/Fun tests
27. Honeypots are traps made to catch bots without ever
being noticed by human users.
The most common example is the hidden form field.
With this solution, an extra field is included in the
web form and then hidden from human users with
JavaScript or CSS. Bots, however, will still “see” the
field and fill it out. If the field is filled out, the form is
automatically rejected.
Alternatives:
Honeypots
28. Honeypots aren’t perfect, though.
Visitors who use screen reader software will still
encounter the field, creating more confusion and
increasing the chances they’ll fail the test.
To work around this problem, you could label the form
field something like, “Leave this field blank,” but this is
still likely to confuse users.
Alternatives:
Honeypots
30. Another option for confirming visitors
are human is to require them to sign
in with an account such as Facebook,
Twitter, or Disqus.
(We use Disqus for comments on the
UserTesting blog.)
Alternatives:
Verified sign-in
31. This solution is popular for blogs because it includes
the side benefit of removing the anonymity that
mean-spirited users rely on when they leave rude or
offensive comments.
Tying comments to a social account adds a level of
responsibility that discourages trolls.
Alternatives:
Verified sign-in
32. The obvious problem here, though, is that not all users
have the required social account.
This can be mitigated by using a service like Janrain or
Gigya that allows users to choose from a wide variety
of accounts to log in with, rather than just one or two.
Alternatives:
Verified sign-in
34. There’s still one problem remaining with social media
solutions: many users aren’t comfortable using their
social account information to log into an unfamiliar
website.
They might be concerned that this is an invasion of
privacy, or that the website will post updates to their
account without their permission.
Alternatives:
Verified sign-in
36. A big difference between humans and robots is the
speed at which we complete tasks. It takes us a few
moments to read each field, decide what to input, and
then type the text.
Bots, on the other hand, can populate a form instantly.
By using time stamps on your site, you can reject forms
that are filled out too quickly.
Alternatives:
Time Stamps
VS
37. This might not be secure enough to stand alone,
though, as some of the sneakier bots are programmed
to take longer to fill out forms to specifically avoid this
trap.
Plus, for returning visitors with cookies enabled, the
form may auto-populate, causing the visitor to be
wrongfully identified as a bot.
Alternatives:
Time Stamps
39. One of the best solutions is to include a
client-side JavaScript checkbox that says
something like, “I am a human.”
By generating the checkbox client-side, only
legitimate users will be able to see and check
the box.
Alternatives:
Checkboxes
40. There are some concerns about bots that are clever
enough to read the Javascript or CSS and work around
the checkbox solution, so additional measures could be
added for security.
Alternatives:
Checkboxes
41. Here are some resources to check out
if you’re interested in the checkbox solution:
• Growmap Anti Spambot Plugin for WordPress
• CodeUmbra’s tutorial on the checkbox solution
• UX Movement article in favor of the checkbox
Alternatives:
Checkboxes
43. What’s to do?
To determine which alternative is best for your site,
you should ask yourself why you need the additional
security measures.
44. What’s to do?
For blog owners looking to prevent spam comments,
a social sign-in solution might be right — if users are
open to it.
Run tests with your users to find out if they would
actually use a verified sign-in, or if it would cause an
uproar of privacy concerns.
45. What’s to do?
For e-commerce sites that need to verify a visitor’s
validity at the point of purchase, any additional steps
between the user and the purchase can reduce
conversions.
If you can use an alternative that doesn’t interfere with
the user’s workflow, you’ll stand a much better chance
of making the sale and keeping the user happy.
46. What’s to do?
The very best solution is one your users never notice.
Consider using honeypots, time stamps, or checkboxes
—or a combination of these.