In a recent meeting with stake holders, they were concerned about bots auto filling a registration form. The obvious answer that came up was to add a Captcha. The response was something along the lines of a groan + gurgling sound, or in real words, a disapproval. Captchas are more often than not complicated and they are always a PITA!
A long time ago I had to solve this problem and came up with an alternative to using a captcha. So I suggested my solution and it was well received.
The idea is that we want to protect from bots automatically filling out a form and submitting data but also to not bother the user with squiggles and unreadable images. Especially since the target audience is less than tech savvy and most will be older users.
It’s common for bots find fields with common names such as FirstName, Phone, Email, etc. by parsing the HTML or some how working with the DOM. There is no reason that we as developers have to use those names when building our forms though.
The idea is to add a field armed with a common ID such as ‘FirstName’, but it won’t be used for input. In fact, it isn’t even shown to the user. Theoretically, a bot auto populating the form will enter a value thinking it’s a FirstName field. On form submission, we can test the field for a value and if it has one, then obviously the form wasn’t filled out by a user.
<form> <input name="FirstName" style="display: none" /> First Name: <input name="XYZ" /> Last Name: <input name="LastName" /> <button type="submit" ></button> </form>
You can modify this a bit to fit your needs of course. This was just a simple example. Now user aren’t bothered with captchas and it will prevent [most] automated form submissions.
- Not all bots work in the way described
- Can be worked around without too much effort
- Legitimate automated form population tools may fill in the field causing a false positive
- May cause issues with screen readers
A modification to this is the check the field value on the client side and if necessary, require explicit verification (which should include a friendly message to the user). This helps the false positives from preventing legitimate users from continuing.
It isn’t fool proof, but it is an easy alternative to confusing captchas. Other alternatives include asking the user a question and requiring them to enter an answer such as, “What is 2+2”.
The point here is to think in terms of automation and how it would work against you, then simply side stepping it instead of building a giant fortress wall.
What do you think? Do you have any captcha alternatives that you’ve used? What are they, how do they work and what was the success rate?