CAPTCHAs are horrible #558
Labels
Missing: example code
Missing: explainer
Missing: security & privacy review
privacy-tracker
Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
Progress: in progress
Resolution: satisfied
The TAG is satisfied with this design
Review type: CG early review
An early review of general direction from a Community Group
Review type: small delta
Topic: authentication
Topic: cookies
Topic: cryptography
Topic: HTML
Topic: identity & credentials
Topic: privacy
Topic: security features
Venue: TAG
Milestone
Form submission abuse is a real issue, but the current solution of CAPTCHAs is a horrible and error-prone user experience.
CAPTCHAs are an accessibility nightmare, provide an inconsistent UX, leak information to centralized services, and are abused as mechanical turks.
The UA knows that a human is driving it, can we provide a better mechanism that allows UAs to automatically prove human action and provide a consistent, accessible UX when needed?
One thought, add an
<input type=captcha>
that provides a trust token or the like in form submission. It would have no display, but the first time a form containing it is submitted, the UA can provide a UX to authenticate the user and obtain the token (querying the value from script would also yield the token/trigger the UX). The token could then be stored and auto-submitted in the future without any UX. Authors would need to be able to feature detect and fall back to other CAPTCHA mechanisms when not implemented.The text was updated successfully, but these errors were encountered: