1

CAPTCHAs

Soft Launch Alert: The Digital Guidelines are a work in progress and subject to updates. Your feedback is highly valued and will help us improve! Digital Guidelines Feedback (Google Form)

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) are usually added to solutions to improve security. The idea behind them is, basically, to pose a question or challenge that a human could easily solve but that a bot might struggle with. More often than not, CAPTCHAs create issues for users. They can be annoying, disruptive, and inaccessible if implemented poorly.

Usage Guidelines

If you feel like you must use CAPTCHAs:

  • Always provide multiple CAPTCHA formats.
  • Include audio alternatives.
  • Make sure keyboard navigation is fully supported.
  • Do NOT limit user attempts.
  • Give people clear and brief instructions.
  • Keep contrast and other standards in mind.
  • Eliminate or minimize repeated challenges during a user's session.
  • Consider hCaptcha or custom solutions instead of reCAPTCHA.

Recommendations

ScenarioUse CAPTCHAAlternatives to Think AboutNotes
Multiple or excessive failed login attemptsYes
  • One-time codes
  • SMS verification
  • Magic links
  • Trusted device checks
  • Common methods to limit malicious traffic
 
High-stakes form submissionsYes
  • Multi-factor authentication
  • One-time codes
  • SMS verification
  • Magic links
Financial and other transactions likely have specific security requirements. Always defer to agency or OIT policies and recommendations.
Normal web browsingNeverMore effective methods (rate limiting, behavior pattern analysis, IP filtering, risk scoring, threshold-triggered challenges, etc.) should be used to limit malicious traffic.If you're considering using CAPTCHA to block or limit bad actors on your app or website: don't. It is not appropriate and is extremely disruptive to all users. If you cannot implement security best practices on your own, reach out to your technology partners for help.
Basic form submissions (like contact us, newsletter signups, etc.)Not usually
  • Honeypot fields
  • Logic questions (simple math, counting, etc.)
Server-side or other backend filtering should be used to weed out inappropriate submissions. Users should not have to engage in complex tasks in order to do something basic (like ask for help, provide commentary, etc.).