CAPTCHA feedback for outstanding items from Scott Hollier on 2019-04-15 (public-rqtf@w3.org from April 2019)

From: Scott Hollier <scott@hollier.info>
Date: Mon, 15 Apr 2019 13:34:01 +0000
To: "public-rqtf@w3.org" <public-rqtf@w3.org>
Message-ID: <SN6PR01MB4349F3E1C1FC1A2467A8457BDC2B0@SN6PR01MB4349.prod.exchangelabs.com>

To the RQTF

As promised, below is my feedback against all of the outstanding items for the current CAPTCHA draft.

Firstly, apologies if my responses are out-of-date given I haven't been at the last two meetings. I've looked through the minutes and as best I can tell my comments should be current but if the informaiton is not helpful, its no worries if you don't want to use my suggestions and rewrites.

Secondly, Janina: thanks for adding these in to address the GitHub issues and appreciate the offer of help. Are there any good online tutorials for using CLI GitHub or a good YouTube video that might help? My colour scheme doesn't work very well for it and it'd be good to get a better conceptual understanding of it too for work in the long-term.

Responses to outstanding issues follow.

Scott.

4: Video Game; Smart-Device Divide [Medium]

https://github.com/w3c/apa/issues/4

Janina for Smart Device Divide

Unassigned on Video Game

NOTE: Should be split into two issues

Scott's comment:

To address the video game comment itself separate to the multi-device argument, I'd propose the following rewrite: The specific debate over multi-device authentication then gets covered in the other section and this one can be closed. I've also included issue 6 in this as movement-based CAPCAPTCHAs and video game CAPTCHAs have the same access implications.

Proposed rewrite:

.Movement-based and Video Game CAPTCHA

This process is based on the movement of interactive elements such as a slidebar or the completion of a basic video game as a CAPTCHA<https://www.w3.org/TR/turingtest/#dfn-captcha>, like Game-based image semantic CAPTCHA on handset devices [game-captcha<https://www.w3.org/TR/turingtest/#bib-game-captcha>]. The benefits include removal of language barriers and the removal of CAPTCHA frustration due to the intuitiveness of the task associated and the enjoyment of playing video games.

Importantly, the implementation of this CAPTCHA would need to support multiple input interfaces as different devices may lack some input methods such as a keyboard or touchscreen. Another potential issue is that screen reader support for interface elements may unintentionally provide a backdoor for the CAPTCHA to be bypassed by allowing a bot to play the game.

6: Drag and drop CAPTCHA [High]

https://github.com/w3c/apa/issues/6

See above - integrated into resolution of issue 4.

7: Privacy, PKI, and 3rd Party Concerns [Medium]

https://github.com/w3c/apa/issues/7

NOTE: Provides buzz words and additional examples to reCAPTCHA

Scott's comment: looking through the minutes of the last few meetings it looks like this has been discussed a lot so I'll leave this one for the call.

11: reCAPTCHA v. 3 fallback [Low]

https://github.com/w3c/apa/issues/11

Scott's comments: looks like this has progressed too in the last few meetings. Still of the view that the update needs to acknowledge that reCAPTCHA V3 ideally does not promote the user for a CAPTCHA, but developers may still choose to use an inaccessible fallback despite Google's suggestions.

14: security and privacy properties of biometrics unstated or confused [High]

https://github.com/w3c/apa/issues/14

Janina

Scott's comment: again I appreciate this looks to have been discussed in the meetings so will save most comments for the call, but reading through the minutes I'm wondering if we're getting too bogged down in privacy concerns given the main purpose of the note is regarding accessibility. Ultimatley biometrics and multiple device authentication as as solutions has accessibility benefits and I'm wondering if the privacy concerns are becoming a distraction from the the overarching purpose of the document regarding whether or not it is an accessible solution.

15: privacy/accessibility implications of relying on logged-in identity provider [High]

https://github.com/w3c/apa/issues/15

Scott's comment: see issue 14.

16: blinded verifications and related work are currently missing [High]

https://github.com/w3c/apa/issues/16

Janina

Scott's comment: looks like this one is progressing well, no additional comments from me.

22: captcha: multi-device/cross-site paragraph confusing [Moderate]

https://github.com/w3c/apa/issues/22

NOTE: (this could be editorial, but appears to be seeking substantive clarification.)

NOTE: See Issue #7 comment

Scott's comment: given the previous paragraph discuses reCATPCHA V3, I think this one can be addressed by just tweaking the text to explain that such solutions support multi-device.

Propose the following rewrite:

In this context we note that it has become common for users to access various on line services through multiple devices such as desktop and mobile computers, smart phones, tablets, and wearables such as smart watches. This proliferation has led to online services delivering identification solutions that take into account a combination of multi-device and multi-platform vectors for simple and effective user authentication, including persons with disabilities. As such, we e note that several major service providers (such as Facebook) now support cross-site user authentication. However, in relation to the specific ability to tell a human and bot apart, it appears only Google's V. 3 reCAPTCHA API provides cross-site CAPTCHA services without actually passing specific identifying data.

24: Logic Puzzle section is a bit thin[Moderate]

https://github.com/w3c/apa/issues/24

Scott's comment: propose the following rewrite:

logic Puzzles

Another mechanism for distinguishing humans from bots is to test for logic. This can include simple mathematical or word puzzles, trivia, or similar logic tests. The ability for humans to answer simple intuitive or commonly known questions is likely to be difficult for bots to interpret due to the puzzles lacking semantic details that bots can process.

Users with cognitive disabilities may still have difficulty with logic-puzzle CAPTCHA approaches as assumptions relating to which questions are considered 'simple' may not apply to all users. Logic puzzles based on language questions are also likely to exclude users who are not familiar with that language.

In terms of implementation, answers may need to be handled flexibly, if they require free-form text. Also, a system would have to maintain a vast number of questions, or shift them around programmatically, in order to keep spiders<https://www.w3.org/TR/turingtest/#dfn-spider> from capturing them all for use by web robots. This approach is also more likely subject to defeat by human operators engaged in crowd-sourcing activity on behalf of attackers.

26: Blinded Tokens [High]

https://github.com/w3c/apa/issues/26

Scott's comment: looks like this is already largely addressed in meetings.

[Scott Hollier logo]Dr Scott Hollier
Digital Access Specialist
Mobile: +61 (0)430 351 909
Web: www.hollier.info<http://www.hollier.info>

Technology for everyone

Looking to upskill your staff with digital access training<http://www.hollier.info/consultancy/>? Fill the room for one flat fee.

Keep up with digital access news by following @scotthollier on Twitter<https://twitter.com/scotthollier> and subscribing to Scott's newsletter<mailto:newsletter@hollier.info?subject=subscribe>.

Attachments

image/gif attachment: image001.gif

Received on Monday, 15 April 2019 13:34:26 UTC