Summary

hCaptcha is designed to stop bots by distinguishing them from people. Visual tests are a convenient tool for this, but not everyone can solve a visual challenge.

For this reason we have designed a simple, painless alternative to let publishers using our service preserve accessibility for all with full Section 508 and WCAG 2.1 AA compliance.

How it works: first, an accessibility user signs up via the accessibility signup page, which is prominently linked in the hCaptcha widget info page. They are given an encrypted cookie that can be used several times per day, but must be refreshed every 24 hours via login.

When a challenge is presented to an accessibility user on a site using the hCaptcha service, they will automatically pass.

Screen shown after registration

Accessibility user screen after login

Accessibility option in widget UI menu
Accessibility option in widget UI menu
Accessibility dialog box in widget UI
Accessibility dialog box in widget UI

FAQ

Q: Is  hCaptcha Section 508 + WCAG 2.1 AA compliant?
A: We believe so: all users with any form of impairment who are able to browse the web and enter text on forms can access services protected by hCaptcha upon registration. However, this is not legal advice: you should perform your own evaluation, taking into consideration your particular implementation to ensure this is the case for your deployment.

Q: Are you working on other accessibility ("a11y") options, like audio? 
A: Previously popular options like audio captchas discriminate against many a11y users and are easily defeated by modern machine learning techniques. This has forced current audio challenges to become more and more difficult, introducing noise, odd timing, unusual word combinations, and so on to defeat attackers. We are thus less enthusiastic about this approach vs. avoiding the challenge altogether, but will consider it if there is demand from the a11y community.

However, we are very interested in Privacy Pass for the Accessibility use case. We believe combining our current a11y approach with Privacy Pass issuance will allow a11y users to browse safely, secure in the knowledge that their traffic is more private, while restricting the abuse by bot operators that inevitably occurs when a11y options are available. We are active participants in the IETF working group standardizing this new technology.

Q: What about privacy? Does registration expose a11y browsing data in some way? What do you do with the email?
A: hCaptcha is designed for privacy from the ground up. It is very different than traditional options like reCAPTCHA that are owned by ad networks, who have an incentive to track you around the web and associate you with a real identity.

We never use accessibility emails or info for any purpose other than facilitating a11y use and preventing abuse. Our privacy policy has comprehensive and authoritative answers as to how we use data, but the short answer is we have no interest in associating you as a person with your browsing history.

We are also currently working on a cryptographic solution to rapidly discard your email address while still preserving our ability to prevent abuse, complementing our Privacy Pass work.

For Accessibility Users: Q&A and Troubleshooting Guide

Q: I'm still seeing a challenge after setting the cookie. What's causing this?
A: This is typically due to using an aggressive ad blocker or anti-cookie extension, or a setting that blocks "cross-site" cookies, in this case a cookie for hcaptcha.com that is set or checked by the hCaptcha JS on a different site, like the one you are visiting.

hCaptcha accessibility cookies work with all popular browsers and ad blockers with their standard settings, so typically failures are due to "anti-anti-adblock" scripts or similar rulesets targeting particular sites.

Solutions:

1. Whitelist hcaptcha.com and *.hcaptcha.com cookies in your ad blocker or browser security extension.
2. If you are using the Brave browser, which does not (as of April 2020) appear to have any kind of cookie whitelist, go to Preferences -> Shields -> Cookies and choose "Allow All Cookies."
3. If you are using the very latest version of Safari on either the recently released OS X 10.15 or iOS 13.4, Apple has just changed the behavior of Safari related to third-party cookies, blocking all of them by default. We are implementing a solution, but in the meantime please visit Safari Preferences, Privacy section, and uncheck "Website tracking: Prevent cross-site tracking" to enable the accessibility cookie to function as expected.

Q: I use multiple devices. Do I need to sign up multiple times?
A: No. Please click the same email login link sent to you on each device you use in order to set the cookie.

Q: How can I protect myself from third-party cookie tracking while using the accessibility cookie?
A: Using any privacy or ad-blocking extension that supports domain-level whitelisting (e.g. uBlock Origin) will work as expected: just make sure to whitelist hcaptcha.com.

Browser Instructions for Cross-Site Cookies

Safari
To enable cookies in Safari (Mac): Go to the Safari drop-down menu. Select Preferences. Click Privacy in the top panel. Under 'Block cookies' select the option 'Never.'
To enable cookies in Safari (iPhone/iPad iOS 11+): Open your Settings. Scroll down and select Safari. Under Privacy & Security, turn off "Prevent Cross-Site Tracking" and "Block All Cookies"

Firefox
Click on the shield to the left of the address bar on any webpage. Click on Protection Settings. The Firefox Preferences Privacy & Security panel will open. Under Enhanced Tracking Protection, select Custom. Choose which trackers and scripts to block by selecting those checkboxes. Make sure you have unblocked hcaptcha.com.

You can also temporarily turn off some protections in Custom to debug this, by deselecting the checkboxes: Deselect the Trackers checkbox or deselect the Cookies checkbox if you are still having issues.

Google Chrome
Google Chrome (PC)
Select the Chrome menu icon. Select Settings.
Go to Privacy and Security, then Cookies and other site data.
Make sure "Block third-party cookies" is not enabled.

Google Chrome (Mac):
Open Chrome preferences from the menu bar.
Go to Privacy and Security, then Cookies and other site data.
Make sure "Block third-party cookies" is not enabled.

Google Chrome (Android):
On your Android device, open the Chrome app.
At the top right, tap More and then Settings.
Tap Site Settings and then Cookies.
Next to "Cookies," switch the setting on.
Check the box next to "Allow third-party cookies."

Internet Explorer
1. Select the gear in the upper-right corner of the screen, then select "Internet Options". If you have the Menu Bar enabled, you can select "Tools" then "Internet Options".
2.  Click the "Privacy" tab.
3. Select the "Advanced" button.
4.  Under "Third-party Cookies" choose "Accept".
5. Click "OK"