Bob, a participant on the grc.securitynow newsgroup, has devised another good example of a simple text based challenge response system that could permit a reasonable level of protection for many blogs and other web sites. Please check out his contact form and use it to provide feedback.
Andy Schlaikjer, a Ph.D student at Carnegie Mellon University, has asked us to carry the following announcement:
I’m conducting a study to aid my research and development of a new form of audio CAPTCHA. If you’d like to participate, please visit the Audio reCAPTCHA study web site.
A CAPTCHA is a special kind of test which can be used to tell humans and computers apart. Many web sites use CAPTCHA’s to combat fraud and automated access to their services. Unfortunately, most CAPTCHA’s are based on a visual task, such as recognizing distorted letters in an image. Such a task can be quite difficult, or impossible, for visually impaired human users to perform.
In an attempt to alleviate this accessibility concern, audio-based CAPTCHA’s have been developed which require users to listen to and transcribe a short audio clip containing a series of random spoken digits. However, performance of state-of-the-art Automatic Speech Recognition technology suggests that this approach may not represent a very strong CAPTCHA in practice. Additionally, the data collected from such a test may only be used to determine the authenticity of the user, and is normally discarded once the test has been performed.
The goals of my research are (1) to develop a stronger form of audio CAPTCHA, (2) create a CAPTCHA which collects useful data, and (3) to strengthen support and adoption of audio-based CAPTCHA’s on the Web. To these ends, I am developing a new audio CAPTCHA based on a more complex task: Transcription of arbitrary speech. For more information, please contact me, or visit the study web site at the URL mentioned above.
Cheers,
Andy Schlaikjer
While we appreciate the new found consideration of accessibility by the people at Carnegie Mellon University, with respect to CAPTCHA, and recognize that audio CAPTCHA is the current state of the art, the considerable ongoing research in this area ought to bring all of us to one concern, which we must ultimately address. Audio CAPTCHA, like its visual cousin, inherently denies access to the deaf and hearing impaired population. This means that the presentation of both an audio and visual CAPTCHA continues to lock out those people whom happen to be both blind and deaf. It seems to us that greater focus ought to be placed, instead, on the development of a highly secure, non-sensory challenge response system that does not inherently discriminate against any legitimate human being, regardless of disability.
Since the reCAPTCHA team has taken considerable steps to improve the accessibility and usability of their current audio CAPTCHA scheme, let’s all help Andy with his study. At the same time, let us all remind CMU and others that, in the long run, audio and visual CAPTCHA does not afford equal access and full participation to all human beings. Instead, it is absolutely critical that a better method of authentication and authorization be devised.
Sarah Alawami has started a petition asking MySpace to make their CAPTCHA accessible to the blind and visually impaired. We ask you to sign this important petition right away!
We have received a request from one of the ReCAPTCHA programmers to perform some testing in an attempt to improve the usability of their audio playback alternative. Once again, this is our opportunity to provide feedback that can result in a direct increase in the accessibility of CAPTCHA. Let’s all step up to the plate this time!
Please complete the following steps, noting the answers to all questions presented:
The ReCAPTCHA people really want to make sure their service works for as many users as possible, so let’s all step up to the challenge and get them as many high quality test results as possible.
We have received numerous reports from blind users who are unable to use Twitter’s audio CAPTCHA for the past several days. We ask as many of you as possible to visit Twitter, try the audio CAPTCHA and report your results in this ticket opened with Twitter’s customer support team. If you’re already signed into Twitter, it will be necessary to sign out in order to try the audio CAPTCHA again.
If you’re blind or severely visually impaired, imagine that you wake up one day to find…
We should be afraid, be very afraid, of the clear and present danger posed by inaccessible CAPTCHA, visual only multifactor authentication schemes and other technologies that do not reasonably accomodate our needs. Our fear should not result in our cowering in a corner waiting for it to happen. Instead, we must become angry enough to start really doing something about it! Anger is not always a bad emotion. It is often a response to injustice, which we can choose to channel into taking positive action. As a blind community, are we up to the challenge of absolutely insisting that our need for equal accessibility be reasonably accomodated? As a blind individual, what actions will you take right now and later to ensure a brighter, more accessible future for you and your blind brothers and sisters? Don’t choose to remain in the dark one more second! Please feel free to take our poll on accessibility and provide your feedback by way of posting a comment to this article.
The folks at Twitter have now added an audio CAPTCHA to their signup process, thus affording blind and visually impaired people the opportunity to register and participate alongside their sighted peers. See New: Accessible Captcha with Recaptcha for all the exciting details.
Once again, we learn that authentication based on sight alone is not the only game in town. A company called PhoneFactor delivers a two-factor authentication scheme in which the second piece of authentication material is literally your telephone. In simple terms, here’s how it works:
The potential of this solution to deliver security while ensuring accessibility for people with disabilities simply can’t be ignored!
I have just discovered that blind and visually impaired people are not permitted to post comments on the PayPal Blog due to an inaccessible CAPTCHA. This is weird, since an audio CAPTCHA is utilized elsewhere within the E-Bay and PayPal sites.
Recently, PayPal began offering account holders the ability to use a Security Key as an additional means of protection. The Security Key is a small piece of hardware that connects to the computer’s USB port and displays a sequence of numbers that change every 30 seconds. Once the key is activated, users must supply these numbers in addition to their typical PayPal username and password in order to be granted access. No accessible version of the PayPal Security Key is offered at this time. Though the Security Key is not required, there are a couple of significant concerns.
At this time, use of the Security Key is not required in order to continue using PayPal. One may decide to avoid purchasing and activating the Security Key, while still retaining access to their account. This may seem to represent a mitigating factor, except for one dirty little truth. The availability of the Security Key to only sighted PayPal customers automatically means that blind and visually impaired customers are not afforded the same degree of security! That’s right. While the sighted may now enjoy two-factor, virtually unbreakable authentication, we blind folks are stuck with the traditional username and password approach. This inherently makes the blind more vulnerable to fraud, identity theft, loss of PayPal funds and all manner of other imaginable nastiness. Alas, that’s not all!
While the Security Key is currently an optional enhancement, we can see the day in the near future when PayPal will begin requiring use of this authentication method for all account holders. At that time, blind and visually impaired people will be completely locked out of their PayPal accounts, unless an accessible version of the Security Key is made available. When that happens, PayPal will be giving its blind customers the boot, showing them the tightly barred and locked door featuring the infamous “No Blind People Allowed” sign.
Multifactor authentication is not new to PayPal. It is rapidly extending to the web sites of many banks and other financial institutions. It is absolutely critical that we, as a blind community, begin to effectively address issues of visual CAPTCHA and multifactor authentication before we find ourselves locked out of online participation and even separated from our money! Let’s act now with respect to PayPal! We urge all of you to ask PayPal for information about their intentions toward blind and visually impaired customers with respect to the Security Key. Please post any responses from PayPal as comments to this article.