CAPTCHA, when security takes precedence over accessibility

According to the latest WebAIM survey of screen reader users, CAPTCHAs are still the number one accessibility issue for this audience. We take a look at this technology and its impact on accessibility in general and in Luxembourg in particular.

Monday, September 22, 2025

Photo displaying the following text: Do not trust robots
Photo by Nick Fewings on Unsplash

What is a CAPTCHA?

A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a test whose purpose is to differentiate human users from robots.

CAPTCHAs are most often used to prevent:

  • spam on forms that allow users to enter information without authentication;
  • Website scraping, i.e., the automatic extraction of data from web pages;
  • Certain brute force attacks (e.g., searching for an account password by rapidly trying a large number of possible passwords).

The classic CAPTCHA is a visual test that displays distorted text in an image, and requires the user to copy the contents of this image into a form field. This vision-based test is, of course, inaccessible to people with visual impairments unless it is accompanied by an alternative, such as audio (e.g., RAWeb criterion 1.5).

Text captcha reproducing the words 'following finding' distorted and crossed out
Example of a visual CAPTCHA (source Wikipedia)

Because this test is particularly vulnerable to advances in AI, it is used less and less frequently, and other types of CAPTCHAs have been developed, such as tests requiring object recognition:

reCAPTCHA asks to select all boxes that contain pedestrian crossings
Screenshot of ReCAPTCHA v2

CAPTCHA Accessibility: What are the issues?

According to the latest WebAIM study conducted among screen reader user in 2024, CAPTCHAs remain the number one accessibility issue on the web for blind and visually impaired users.

Depending on the type of CAPTCHA, they can also be a problem for people who are deaf or hard of hearing (audio CAPTCHA), with motor disabilities (CAPTCHAs requiring fine motor skills to align images), or with cognitive disabilities (calculations, puzzles, etc.). Even in terms of user experience in general, this is problematic because the goal is to solve a technical problem by relying on the user, without providing any compensation.

An increasing number of CAPTCHAs attempt to detect bots transparently, that is, by analyzing browser characteristics and interaction patterns (e.g., mouse movements) to see if they correspond to what is expected of a normal user. This approach can, of course, cause problems, especially if the definition of a "normal" user does not include people with disabilities. A user of assistive technology does not navigate in the same way as a user without assistive technology. For example, screen reader users generally do not use a mouse but a keyboard to navigate the web. The CAPTCHA must therefore handle these cases and avoid discriminating against users based on their disability.

Furthermore, CAPTCHAs are most often located on the critical path of an online process, for example, on a registration form. In this case, an inaccessible CAPTCHA blocks access to the service for an entire category of the population based on their disability.

As is often mentioned, in Luxembourg, this represents 15% of the population, according to the latest STATEC study on the subject.

CAPTCHAs on Luxembourg public websites

To better understand the situation on Luxembourg public websites, we conducted a study in September 2025 using our tool capable of detecting 13 CAPTCHA solutions on the market. Out of 821 websites tested, we detected 101 sites that featured a CAPTCHA on at least one page, or approximately one in eight. Specifically, the following solutions were detected:

  • reCAPTCHA on 98 sites
  • Friendly Captcha on 2 sites
  • hCaptcha on 1 site

Of course, it is possible that other types of CAPTCHAs are present and have not been detected. We have also manually detected inaccessible CAPTCHAs on other public websites, but this manual search makes it difficult to conduct a study on all pages of public websites known to our services.

a captcha displaying 4 images and asking the user to click on the one with a headset
Example of an inaccessible visual CAPTCHA detected on a public website

You can find the results of this study on data.public.lu.

These CAPTCHAs are mainly present on the websites of municipalities and associations of municipalities (37), and public and related institutions (58). Central government websites (6) are generally spared, which shows that other solutions exist.

The vast majority of the websites on which we detected a CAPTCHA use Google's reCAPTCHA solution. This solution is effective but controversial due to its use of each visitor's personal data and requires consent in Europe to comply with the GDPR.

There are three different versions of reCAPTCHA:

  • v3, which is transparent, meaning it does not require any user interaction;
  • v2 with a checkbox, which is well-known because it requires object recognition (crossings, fire hydrants, etc.);
  • v2 invisible, which is similar to v3.

We cannot recommend using v2 because, according to the W3C's “Inaccessibility of CAPTCHA” note, it has recently suffered regressions in terms of accessibility, whether in terms of keyboard navigation or audio alternatives.

Since v3 is transparent, it does not pose any accessibility issues in itself. Problems can arise when reCAPTCHA v3 is not certain that the user is human, leaving it up to the site manager to manage this situation, which may lead the site to display a traditional inaccessible CAPTCHA or block the user.

While the transparent CAPTCHA approach is attractive, every website manager must conduct accessibility tests to ensure that users with disabilities are not at risk of being systematically blocked by these devices.

Among the 98 websites using the reCAPTCHA solution, we detected 53 sites featuring an interactive mode with object recognition provided by a v2 of reCAPTCHA. Therefore, currently, more than half of the CAPTCHAs on public sites pose accessibility problems.

Alternatives to CAPTCHAs

Many services called CAPTCHA solvers now exist to solve CAPTCHAs for a fee. Some blind people also use the services of certain LLM programs with adequate prompts to solve CAPTCHAs, with a high success rate.

Given the limited effectiveness of CAPTCHAs, depending on the use case, other security measures may be more suitable for protecting your website while limiting the impact on users. For example, this could be a spam filter for a contact form, or a Web Application Firewall to generally protect your website from malicious requests.

The W3C, in its note “Inaccessibility of CAPTCHA”, discusses a whole series of state-of-the-art approaches that can meet these security needs without having the same negative impact on accessibility. Two types of approaches are considered:

  • Interactive approaches, in which the user must perform an action to prove they are human. These approaches include multi-device authentication, somewhat similar to what is done in two-factor authentication on a website, or cryptographic identity verification, a concept developed by Cloudflare, for example, as an alternative to CAPTCHAs;
  • Non-interactive approaches, which include most of the transparent CAPTCHAs mentioned above. The W3C note details different approaches (e.g., honeypot, proof-of-work) that can be combined with each other without any user impact.

A new family of CAPTCHAs is based on the proof-of-work approach (e.g., Friendly Captcha, Cap, mCaptcha, etc.) and generally yields good results in terms of both accessibility and privacy. This approach does not require any interaction, although some CAPTCHAs still require you to check a box saying "I'm not a robot." The underlying principle is to have your computer perform difficult cryptographic calculations. For a user, these calculations will take a few seconds. For a robot, if these calculations must be performed regularly, their cost will be prohibitive.

New requirements, be prepared!

CAPTCHAs are often implemented on contact forms. Since the entry into force, on June 28, 2025, of the law of March 8, 2023 on the accessibility of products and services, these contact forms can be considered electronic communication services. Under these conditions, an inaccessible CAPTCHA on a contact page could render this service non-compliant and could expose any public or private sector organization to sanctions.

Please do not hesitate to contact the competent oversight body for the accessibility of products and services, OSAPS, if you have any questions about this.

Furthermore, CAPTCHAs that test cognitive functions will no longer be permitted on public sector websites and apps in the next update of the European standard EN 301 549, which will be published in 2026. This standard will include the new WCAG 2.2 success criterion "Accessible Authentication (Minimum)."

The principle behind this criterion is to avoid cognitive tests (puzzles, calculations) that are not accompanied, for example, by an alternative or assistance.

a form field preceded by the words: security question, what is half of 10?
Screenshot of MyGuichet (September 2025)

Visual CAPTCHAs that require object recognition are an exception to this criterion. These will, however, require a non-visual alternative.

In conclusion

In Luxembourg, approximately one in eight public websites we tested contains a CAPTCHA. More than half of the CAPTCHAs on public websites pose accessibility issues. While some proposed solutions have a low user impact (transparent CAPTCHAs, proof-of-work), it is nevertheless the responsibility of each site manager to ensure that people with disabilities will not be blocked by these devices.

If you think you may need a CAPTCHA, consider using other security systems. If you are certain that CAPTCHAs are the solution to your needs, in this case, prioritize transparent solutions and conduct tests with assistive technologies and possibly with the users concerned to ensure their compatibility.