How Disability Sport Wales Stopped Bots Without Blocking a Single Disabled User
reCAPTCHA quietly locks out millions of disabled users every day. Here's how Disability Sport Wales replaced it with invisible bot protection — catching more bots while blocking zero real users.
Picture the most quietly cruel barrier on the web: a charity built to support disabled people, running a login wall that disabled people cannot get past.
That is not a thought experiment. It is close to the exact bind Disability Sport Wales found themselves in — a national charity working with disabled athletes, coaches, volunteers, and members right across Wales, protected by a CAPTCHA that was failing the very people they exist to serve.
This is the story of how they fixed it: how they took the puzzles off the screen entirely, made the site usable for everyone again, and ended up catching more bots than before — without blocking a single real user.
What is accessible bot protection? Accessible bot protection stops automated traffic without ever asking a human to prove they are human. Instead of image puzzles, checkboxes, or audio challenges — all of which create barriers for disabled users — it verifies the visitor's device and behaviour invisibly, in the background, so every real person passes straight through regardless of ability or assistive technology.
The users a CAPTCHA quietly turns away
Most site owners measure a CAPTCHA by the bots it blocks. Almost nobody measures the people it blocks — because those people just leave, and you never hear from them.
The numbers here are not small. There are roughly 16 million disabled people in the UK — close to one in four of the population, according to Scope. For a large share of them, a "click all the traffic lights" puzzle is not a minor annoyance. It is a locked door.
Disabled People (UK)
16M
almost one in four of the population
The accessibility community has been saying this for years, and the standards bodies agree. The W3C published an entire working note titled Inaccessibility of CAPTCHA, laying out how visual Turing tests systematically exclude users. WCAG's own guidance on non-text content flags CAPTCHA as a problem that demands alternatives. And in WebAIM's screen reader user surveys, CAPTCHA shows up again and again as one of the most frustrating things on the entire web.
Walk through who each challenge type fails:
- Image puzzles — unusable for blind and low-vision users; difficult for many with cognitive disabilities.
- Audio challenges — the supposed fallback — fail deaf-blind users entirely, are notoriously hard for everyone, and are routinely solved by bots anyway.
- Drag, slide, and "select all" tasks — a wall for users with tremors, limited dexterity, or switch-based input.
- Time limits — penalise anyone who needs longer to read, process, or respond.
So the audio fallback does not save you. It fails the humans and waves the bots through. That is the worst of both worlds.
Disability Sport Wales: serving the exact people CAPTCHA fails
Disability Sport Wales sits at an unusually sharp version of this problem. Their audience is, by definition, disproportionately made up of disabled users — the precise group that visual and audio CAPTCHAs fail hardest.
When a disabled member tried to log in, register for a programme, or get in touch, a reCAPTCHA challenge stood in the way. For some users that meant a puzzle they could not solve. For others it meant an audio clip that did not work with their setup. For plenty of them it simply meant giving up.
A barrier like that is bad for any business. For an organisation whose entire mission is removing barriers to participation, it cut straight against the point.
Why they couldn't just remove it
The obvious fix — delete the CAPTCHA — was off the table. The moment you take protection off a public form, the bots arrive.
This is not a maybe. Automated traffic now makes up more than half of all web traffic, according to the Imperva Bad Bot Report. An unprotected login or contact form is found and probed within days by crawlers that index the entire web and feed every form they find to spam and credential-stuffing frameworks.
Web Traffic
51%
of all internet traffic is now bots
So Disability Sport Wales were caught between two bad options:
- Keep reCAPTCHA and keep locking out disabled users.
- Remove reCAPTCHA and open the doors to bot spam, fake registrations, and login abuse.
Worse, the CAPTCHA was not even holding up its end of the deal. Commercial solving services defeat image and audio puzzles for fractions of a cent — the same weakness that let the AkiraBot framework spam 80,000+ sites straight through reCAPTCHA, hCaptcha, and Turnstile (we covered that campaign in our form bot protection guide). The charity was paying the full accessibility cost of a CAPTCHA while getting a leaky version of the security.
They did not need a better puzzle. They needed protection that never put a puzzle on the screen in the first place.
The fix: challenge the bot, not the person
That is exactly the model TrustSig is built on. It does not challenge the user — it challenges the environment.
Instead of asking a human to prove themselves, TrustSig reads hardware-level rendering signatures, real-time device telemetry, and traffic cadence to mathematically separate a real consumer browser from an automated one running on a rack server. A real phone or laptop produces a specific, consistent fingerprint when it renders; an emulator cannot fake the underlying silicon. That check happens invisibly, and a server-side verification call returns a clean allow / block decision before anything reaches the application.
For Disability Sport Wales, the deployment was deliberately boring — drop in the script (or the relevant SDK), verify the token on the backend, done. Nothing changed for the user. There was simply nothing left to see.
The accessibility win is structural, not cosmetic. An invisible system with zero user interaction has no failure point for assistive technology. There is no widget for a screen reader to announce, no audio clip to decode, no drag target to hit, no timer to beat. You cannot fail a challenge that is not there.
Challenges Shown To Users
0
no puzzles, checkboxes, or audio — for anyone
And because TrustSig is built in Estonia, hosted in Germany, and processes all data inside the EU with no tracking cookies, it sidesteps the other quiet problem with reCAPTCHA: shipping every visitor's behavioural data to US ad infrastructure. For a UK charity handling members' personal data, that GDPR posture matters as much as the accessibility one. (We break down the full picture in our reCAPTCHA alternatives comparison and the GDPR-native CAPTCHA guide.)
What changed
The outcome was the thing every accessibility audit says is impossible and every security vendor says is a trade-off: both at once.
| With reCAPTCHA | With TrustSig | |
|---|---|---|
| What the user sees | Puzzles, checkboxes, audio | Nothing |
| Disabled users completing forms | Many blocked or gave up | Every user, no challenge |
| Screen readers & assistive tech | Frequent failures | Unaffected — nothing to interact with |
| Bots that beat image CAPTCHAs | Got through | Stopped |
| Visitor data sent to US ad networks | Yes | No — processed in the EU |
Every legitimate user could log in and use the site again, including those relying on assistive technology. The friction that had been turning members away simply disappeared.
And the security got stronger, not weaker. Because TrustSig verifies the device rather than the user, the automated traffic that had previously solved or skipped past reCAPTCHA was now caught. Detection went up. False positives — real people wrongly flagged — stayed at the floor. The charity stopped choosing between protecting its members and serving them.
Accessibility and security were never a real trade-off
The lesson here is not specific to one charity. Any organisation running a CAPTCHA is making the same hidden bet: that the customers it turns away are worth fewer than the bots it stops. For a disability charity that bet is obviously upside-down — but it is upside-down for an e-commerce store losing mobile conversions, a SaaS losing sign-ups, and a council losing residents who cannot complete a form, too.
The reason the trade-off felt real for so long is that the whole CAPTCHA category is built on interrogating the user. The instant you move the test off the human and onto the machine, the trade-off dissolves. Bots get caught harder, because they cannot fake hardware. Humans get caught never, because they are never asked. Disabled users — the people most failed by the old model — benefit the most from the new one.
"Invisible" is not a nice-to-have here. It is the entire point.
Frequently asked questions
Is reCAPTCHA accessible for disabled users?
Not reliably. The W3C has formally documented the inaccessibility of CAPTCHA, and screen reader users consistently rank it among the most frustrating barriers online. Image puzzles fail blind and low-vision users, audio challenges fail deaf-blind users, drag-and-select tasks fail many people with motor impairments, and time limits fail people with cognitive disabilities. The audio fallback is hard for humans and easy for bots — so it solves nothing.
What is the most accessible CAPTCHA alternative?
The most accessible alternative is no CAPTCHA at all. Invisible bot protection verifies the visitor's device and behaviour in the background, so there is no puzzle, checkbox, or audio clip to fail. With no user interaction, there is nothing for assistive technology to get stuck on, and every real person passes straight through regardless of ability.
Can you really stop bots without showing a CAPTCHA?
Yes — and often better than a CAPTCHA can. Hardware-level rendering signatures and device telemetry catch automated browsers that defeat image and audio puzzles, because a bot cannot fake the silicon it runs on. Verification happens invisibly and is confirmed server-side, where it cannot be bypassed by replaying a frontend token.
Does invisible bot protection work with screen readers?
Yes. There is no visible widget, no audio challenge, and no extra focus stop added to the page, so screen readers, switch devices, and magnifiers have nothing to trip over. The check runs entirely in the background.
Is this GDPR compliant for a UK or EU charity?
TrustSig is built in Estonia, hosted in Germany, and processes all data inside the EU, with no tracking cookies and no advertising incentive to monetise visitors. That is a cleaner posture than US-based CAPTCHAs that transfer behavioural data overseas — and it matters most for public-sector, healthcare, and charity sites handling sensitive member data.
Make your site usable for everyone
If your site shows a CAPTCHA, some share of your real users are failing it right now — and you will never see them, because they leave without a trace. For most sites that is lost revenue. For an organisation serving disabled people, it is a barrier standing directly in front of the mission.
You do not have to choose. TrustSig's free tier covers 50,000 requests a month across two domains with the full threat engine included — invisible to every user, hosted in the EU, with zero puzzles for anyone. You can be live in under five minutes with a single script or a dedicated SDK for React, Node.js, Vue, or edge middleware.
Start protecting your forms free at trustsig.eu — no credit card required.
If you run a charity, council, healthcare, or other public-service site and want a hand making the switch, our team is happy to help.
Sources & further reading
- W3C — Inaccessibility of CAPTCHA | w3.org/TR/turingtest
- W3C WAI — Understanding Non-text Content (WCAG 1.1.1) | w3.org/WAI
- WebAIM — Screen Reader User Survey | webaim.org
- Scope — Disability facts and figures | scope.org.uk
- Imperva — 2025 Bad Bot Report | imperva.com