it's not memorization per se though. more pattern/image recognition. and would fail 1.1.1 already, most likely?

That's mostly what I'm thinking about 1.1.1, but could the argument be made that image recognition relies on remembering what a traffic signal / pedestrian crossing / tree, etc. is?

i'd say that's probably stretching the definition a bit. rather, if the definition intended to cover those type of CAPTCHAs, then a separate example/bullet should be added to the definition, as a different kind of cognition test, that explicitly calls this out (rather than trying to bend the logic of what memorization means)

Agreed that it feels like a bit of a stretch. Maybe adding a note to the Understanding document that CAPTCHAs aren't relevant but are covered under 1.1.1 would be an idea.

There are a number of ways to fail any of several WCAG guidelines. This example is but one way. The root problem in this example is that it seems to be the only available CAPTCHA test, and providing only one way to pass a CAPTCHA is as fundamental a failure as accepting only mouse clicks--but not key presses. Please note that W3C published an updated Note: Inaccessibility of CAPTCHA in 2019. APA has requested that AGWG sync up 2.2 with the guidance in that note, but that seems to have gotten lost in other work?

the point is whether 2.2 accessible authentication does or doesn't cover CAPTCHAs in general, or CAPTCHAs that involve shape/image recognition (not "memorization" per se), and if the answer is yes, that the "cognitive function test" normative definition should really spell this out too. while yes, that definition doesn't need to show all possible types of cognitive function test, the fact that it's not clear whether CAPTCHAs/these types of CAPTCHAs count or not is a good reason to either explicitly include (if it was intended to be covered) or exclude (if not) them in the definition - otherwise we'll end up with exactly the sort of conversation we're having here, among web devs out in the wild ("does this cover this CAPTCHA or not?")

Hi All. I am the primary author of the Accessible Authentication SC, its understanding doc, and its issue paper. Yes, the intention, since I wrote the original issue paper in 2014, has always been to cover CAPTCHA. That is clear in the most recent issue paper. John

Hi All. About whether or not the presentation of CAPTCHA images constitute a cognitive function test: Research has shown that, for people with learning disabilities, CAPTCHA images can cause confusion in part because they can be interpreted as having different meanings. John

in which case, this could really do with being made explicit in the understanding document / the normative glossary definition for "cognitive function test" https://www.w3.org/WAI/WCAG21/Understanding/accessible-authentication as currently that's not clear

There are quite a few different types of captcha and some are clearly covered by cognitive function test such as:

• Transcribing (oddly spaced) characters.
• Calculations / puzzles

For the Google re-captcha approach that shows 9 images and says "pick the ones with taxis" (or something), I'm a little hesitant to say that would be covered by the definition. Partly because it showed 3 images with yellow New York cabs. I almost missed that due to cultural/localision issues (our taxis are black or blue). I.e. it's not very good for non-disability reasons as well.

@JohnRochfordUMMS - I couldn't see anything in the paper about these image-recognition style CAPTCHAs?
I would guess that they are harder for folks with some types of cognitive impairment, but is there anything more solid?

It seems a big stretch to call that "memorisation", or a "puzzle". It is also tricky because the type of question varies, it could be asking you to recognise bridges, or cars (which is simple enough?) but other questions might trip over cultural or other issues?

Also, I'm afraid there are significant and legitimate business reasons for including a CAPTCHA. I run a website which includes registration and I've been through all the alternatives. There are bots which are scripted to:

• Avoid honeypots (customised per-site),
• take their time,
• provide random (but legitimate looking) names,
• provide random (but legitimate) emails,
• come from different IPs,
• include CSRF tokens.

It is whack-a-mole, and the site keeps getting banned from sending emails because the spam-bots generate so many registration emails to random addresses. That is enough of a problem to need to do something about it.

In my case I'm considering removing automatic registration, but we only have ~2000 members, that wouldn't work at scale. Using a 3rd party service that is prepared to play whack-a-mole on my behalf is very tempting.

The reason I bring that up is: What would they move to if this 9-square image thing were 'banned', and would that be worse?

Hi @alastc.

Yes, here is the research to which I previously referred: "CAPTCHA: Impact on User Experience of Users with Learning Disabilities".

I'm sorry I can't help you with your website troubles. I guess it's not so good to be so popular!

John

Also, I'm afraid there are significant and legitimate business reasons for including a CAPTCHA. I run a website which includes registration and I've been through all the alternatives

but correct me if I'm wrong, this SC does not apply to registration (setting up a new account), or even things like comment forms on blogs or similar, but to an authentication process, i.e. login, no? the understanding document seems to support this too, as it talks at length about login.

Hi @patrickhlauke

That's a fair interpretation: authentication is verifying the identity of a user (after registration). However, if a comment form on a blog requires authentication, as many do, the AA SC applies.

John

@JohnRochfordUMMS thanks, and that research said:

"Picture-based CAPTCHA tests do not pose many of the problems faced by users with learning disabilities"

It seems like one of the better approaches, at least from a COGA point of view. There was another reference I can't get access to though.

Oh, and it's not that the website is particularly popular, I think it happens to any site with a registration :-/

@patrickhlauke Good point, it is authentication, but I still come across logins with CAPTCHA occasionally, it's worth working out the answer about scope.

@JohnRochfordUMMS - If a blog requires an email & CAPTCHA to comment, I don't think that's authentication because it does not take any action to establish your identity is correct. If you haven't registered information previously, how can it be authenticating that information?

@alastc About the research, I made a mistake. I was referring to the article, "A User-friendly Image-Text Fusion CAPTCHA
for Secure Web Services" referenced by "CAPTCHA: Impact on User Experience of Users with Learning Disabilities." I have the User-friendly article. Please let me know if you would like me to share it with you.

About the blog authentication, I am referring to the common practice of requiring authentication, typically through third-party services such as oAuth and OPENID, to mitigate/help reduce vitriolic comments.

The specification notes that cognitive tasks can include:

• performance of calculations. Some CAPTCHAs are maths based.
• solving of puzzles. Arguably, ones which require that you visually work out which cells contain a certain object count. I can struggle with this due to working memory problems. For example, remembering what it was I was looking for, particularly when have to do 2-3 of them. Sometimes, they are US-centric and there is a cognitive task involved in working out what they mean. For example, identify all the crosswalks.
• transcription, such as typing in characters. You have to do this with audio ones. As well, some that ask you to type the distorted word on the screen. It might seem like a no-brainer. But the experience for me is "oh, it's that word. I need to type that out". Rather than just copying straight from the CAPTCHA, as it is too distorted to do so.

While it might be stretching the definition, it notes "but are not limited to", implying that it can be stretched.

And more generally, one could argue that from a cognitive POV, a no-brainer for someone else might be a puzzle for someone, such as myself, with short term working memory challenges.

Since using autofill (thanks identify input purpose) I've noticed that I much more often see CAPTCHAs when logging into websites. In these cases, it seems like the authentification process would need some non-CAPTCHA alternative.

But at the same time, non-text content says "However, [captchas] are widely used, and the Web Content Accessibility Guidelines Working Group believes that if CAPTCHAs were forbidden outright, Web sites would choose not to conform to WCAG rather than abandon CAPTCHA.".

So it does seem like it needs to be a bit more clear and consistent between success criteria. And while I do struggle with them, I do not think that they should be outlawed at level AA (assuming at least two modalities).

Noting there are other issues which will impact the definition of cognitive function test, I suggest a minor clarification in the understanding.

Going back to the original question:

Would a CAPTCHA implementation that involves "select all the pictures of traffic signals" (or similar) fall under memorization of images?

I think the conceptual difference between memorization/puzzles and the ReCAPCHA example is that the information needed is not specific to the site. I.e. Asking to recognize objects from everyday life is different from asking you to memorise something for this site.

The only bit in the understanding that I think causes confusion is this line from the intent:

Cognitive function tests are known to be problematic for many people with cognitive disabilities. Whether it is remembering random strings of characters, a pattern gesture to perform on a touch screen, or identifying which images include a particular object, this form of test will exclude some people.

I suggest replacing "identifying which images include a particular object" with "performing a calculation".

Hi everyone, after the discussion today it seemed like we agreed on the survey question, and the next step was to update the understanding document.

I'm proposing this addition to the Intent section, any suggestions?

If a CAPTCHA is used as part of an authentication process, there must be a method that does not include a cognitive function test. If the test is based on something the website has set such as remembering or transcribing a word, or recognizing a picture the website provided, that would be a cognitive functional test. Recognizing common objects, or a picture the user has provided, would not be a cognitive functional test.

Wondering if "Recognizing common objects" isn't a bit subjective here? Anecdotally, I've heard of users being stumped by those ReCaptcha challenges that ask you to choose all the pictures with a taxi, but not realising that it's the classic US yellow taxis that were meant, which may not be obvious to, say, a UK user who is familiar with black cabs.

I agree with @patrickhlauke. I think that @alastc is on the right track, but that the line between "recognizing a picture the website provided" and "Recognizing common objects" is subjective.

It seems like it might seem something similar to Non-Text Content, where there is an explanation that CAPTCHA are a somewhat unique case and some normative steering (e.g. in scope for ones that are objectively cognitive tests, e.g. performing a calculation; but not for more fuzzy ones, e.g. object recognition, which are covered at AAA.).

I've see a few issues with CAPTCHAs.

• Google's CAPTCHA asks me to select all the "cars" I did - but could not pass. Selecting the truck as well allowed me to pass. A truck is not a car.
• Alternatives for visual CAPTCHAs tend to be audio. Both options are very difficult or impossible for people who are both blind/low vision deaf/hard of hearing.
• CAPTCHA images aren't clear and obvious. They tend to be things that are hidden or unclear that require finding objects out of clutter (on purpose I'm sure) but this makes the object identification task very difficult.

I did wonder about putting in a caveat about "cultural references". In the group discussion it was mentioned, but no-one argued when I said it should probably count as a non-accessibility issue, i.e. it affects everyone.

Do you think it would help to add something like this?

...Recognizing common objects, or a picture the user has provided, would not be a cognitive functional test. Some forms of object recognition may require an understanding of a particular culture. For example, taxis can appear differently in different locales. This is an issue for many people, including people with disabilities, but it is not considered an accessibility-specific issue.

@mraccess77 good points, but in this case we are trying to find the line of what is a cognitive functional test as it relates to CAPTCHAS.

Crap captchas (e.g. the car vs van) affect everyone, although I'm sure it's a level-up if you have certain disabilities.

It is fairly rare for a captcha to be used for authentication, they are usually on the registration. However, it is possible they can be used with logins (e.g. as a simple anti-dictionary attack method), or a variant can be used as a second factor. E.g. pick your cat picture out of these 9 pictures.

Plus we already have 1.1.1 for the image case, I bet the taxi/van/car variants do not have suitable alt text!

It my experience that CAPTCHAs for authentication pop up often after a few failed attempts. So you may not see them if you use a password manager or know your passwords. So we may need to consider this fact in our test procedure.

Hi @mraccess77, good point, I also just came across one for gathercontent that pops up on-submit of your username/password, probably dependent on whether it thinks your are a bot or not. As I have some ad-blockers / privacy tools, I tend to trigger the "bot" part of that quite a lot!

I think it's covered normatively, as any scenario which can bring up a captcha is in scope in general, but could you recommend some text for the understanding doc?

Proposed wording for understanding doc
Those testing this criterion need to keep in mind that CAPTCHAs and cognitive function tests used for authentication may only appear in certain situations such as when ad blockers or present or after repeated incorrect password entry, etc. This criterion applies when these tests are used regardless of whether they are used on each authentication or only triggered by specific situations.

The challenge I see with recognizing cmmon objects is that they are hidden in the environment. It's as simply as seeing an apple on a white background. It's a fire hydrant in the grass that is hidden next to vehicle with many other things in the picture meant to through off the user. Essentially even through the object is common it's really a cognitive test to sort out all of the other objects.

PR ready for review in #1611