Sadly, we still live in a web world where we need to protect our sign-up, contact and registration forms with anti-spam technologies like the dreaded CAPTCHA.
On paper, the Completely Automated Public Turing Test To Tell Computers and Humans Apart is a good idea. The technology helps site owners differentiate between real humans and bots/code that can read these types of codes and gain access to services, where they can most often be used for spamming and other nefarious purposes.
If you ran a blog or forum, and need to tell humans from bots, then CAPTCHAs are great. But for users, CAPTCHAs are annoying, not to mention barely accessible.
They are difficult to use, in any form. Whether typing in squiggly numbers, or picking out the kitty cat in a choice of photos, or dragging the logo into a box, they are hard for users to understand and successfully use.
I had an experience today with CAPTCHAs that left me stunned.
My healthcare provider is transitioning to a new health charting and messaging system. In order to register for the site, I have to offer a large amount of information about myself, including address, email, full name, birthdate, and most critically – my medical record number, unique to me.
At the bottom of this form was a CAPTCHA.
Why was there a CAPTCHA? Filling out this form didn’t grant me automatic access, it only registered me into the system. I assume once in there, my information would be checked and only then would I receive yet another piece of information – a registration code, I would use on yet another form.
A good rule of thumb for CAPTCHAs: if you’re asking for information in any detail that you will use to compare to existing data to prove an identity, you don’t need a CAPTCHA.
If you need only a small amount of information that is difficult to verify, such as a social network, then by all means use a CAPTCHA.
Creating bank account: no CAPTCHA.
Creating forum account you plan to use to troll n00bs: CAPTCHA.
Buying tickets to a concert? Annoying, but ok, CAPTCHA.
Think about the users. Please.
I’m pretty sure Captcha is useful in any number of forms that want to prevent brute force. In your personal example, yes, you have to put in a unique medical ID, but what if someone wanted to try and force the system? In theory, they would fill out the rest of the fields with fake info except for a real email address, and use a bot to repeatedly attempt to register, changing the medical ID each time, in the hopes of finding a legitimate ID #. Might be more plausible for breaking into something financial, but you get the idea. Or, if someone was really pissed off at their health provider, they could attack the server by hitting the form hard with a bot.