Please do not use hcaptcha for CAPTCHA protection
ethindp opened this issue · 2 comments
I'm not precisely sure where to send this (it applies to desktop, mobile, and web, at least), so I thought this would be a good place since it shares common code between all three.
I recently heard that Bitwarden had implemented an hcaptcha-based CAPTCHA solution to prevent bots and spammers from accessing vaults. Though I applaud the goal, the solution -- hcaptcha -- is not the right solution for this job. I understand that Recaptcha is owned by Google, and that therefore all users are subject to tracking of one form or another, however please read this comment in its entirety before dismissing this suggestion on principals.
Hcaptcha -- within the disabled community -- is notorious for its failures to ensure equal accessibility for all. Hcaptcha relies on an "accessibility cookie": you open a particular website, enter your email, verify that email, and then you set a cookie in your browser that tells hcaptcha that the user is disabled and therefore needs to skip the captcha. I've no doubt that everyone reading this has kept up with recent browser developments and therefore will immediately be aware of this strategys Achilles' heel: browsers that respect the privacy of their users have disabled third-party cookies (and heavily restricted their use). Therefore, any website using Hcaptcha is automatically broken unless this setting is either disabled or you disable it for the website in question (because the domain that you use Hcaptcha on is not the domain that you got the accessibility cookie on). But the Achilles' heel is much worse than that, because Hcaptcha also demands this "accessibility cookie" within Electron apps (and other web apps that are not web browsers and therefore do not support cookies like a browser might). As a result, this ends up locking disabled people out of services if they are required to solve a CAPTCHA without sited assistance. This is somewhat ameliorated by the fact that this seeming failure does not occur (to my knowledge at least) on phones, but I have only experienced this once on my phone and others may have not had the success that I had. Hcaptcha has repeatedly asserted (despite all evidence to the contrary) that their service is completely accessible, despite the numerous complaints that prove otherwise. They have refused to update or modernize their service, even though they claim that their service allows publishers to be section 508 and WCAG 2.1AA compliant (which is not in fact the case). If you want a bunch of examples where blind people (as one example) have been locked out of things or been unable to get passed Hcaptcha, you need to look no further than these search results.
As a solution, I kindly ask the Bitwarden developers to switch CAPTCHA services to Recaptcha or, if that is implausible or unreasonable, to identify another way of preventing abuse, such as rate limiting or 24-hour lockouts. I understand that this solution is not ideal, and that others (e.g. machine learning) may be better, but at least it won't result in people who are disabled being locked out of their password vaults for an indeterminate amount of time. As I said, I know that Recaptcha probably tracks users, but I'm honestly unsure what would be a better alternative. I would appreciate thoughts about this -- and I hope I'm not upsetting anyone with this comment and that I'm posting it in the right place.
Thanks for the feedback. We are looking into ways to make the captcha prompts more intelligent and less impactful to legitimate users and have discussed several solutions for an upcoming release. Recaptcha isn't possible due to privacy concerns. We have IP rate limiting in place already, but unfortunately that isn't a very effective solution in today's age of bot farms. Lock outs are not possible because they can be abused by malicious actors.
Can you contact our support team and reference this issue and include your IP address? We may be able to assist in whitelisting your IP address from the captcha requirements if you think that is an effective temporary solution for you. https://bitwarden.com/contact/
@kspearrin ReCaptcha is the only accessible CAPTCHA service. This is not an issue that I am personally dealing with, but it is an issue that other blind people are dealing with, because HCaptcha has shown that they don't care about accessibility (i.e. instead of just integrating accessibility into their service as they had the power to do, they require an "accessibility cookie", which is no longer a viable tactic in modern browsers). I acknowledge that Rechaptcha has privacy implications, but it is the only captcha service that has demonstrated that it cares about individuals with disabilities in all situations. Hcaptcha has the privacy pass extension/add-on, but of course this only works in browsers and nowhere else. The same applies to cookies, making Hcaptcha's solution non-portable and unusable in all situations. Blind people have tried to tell Hcaptcha these things and they have refused to listen. I would be happy to point you to many, many instances of blind people running into trouble with Hcaptcha because of their refusal to integrate accessibility directly into their captcha service (which, in some if not all cases, could be seen as a violation of both the Americans with Disabilities Act of 1990 and the Communications and Video Accessibility Act of 2010, depending on what the captcha is being used to protect), if you want. But blind people have all tried -- repeatedly -- to get them to change how they work, or to change their accessibility measures to be more inclusive, and have failed each and every time.