It has been common for a while now to use images containing some sort of security code that the person must type in along with the rest of their information in order to try to verify that it is a real person filling out the form and not an automated process of some sort. These image security codes are known as image CAPTCHAs.
Some sites have moved on from using this technique for trying to tell the difference between real people and automated processes and use less obtrusive CAPTCHAs that do not involve images and which in some instances may not even be visible to the real people visiting their site.
As anything that distinguishes real people from computerised processes is a CAPTCHA (since that is what a CAPTCHA does), the ideal is to use one that has a minimal impact on your real visitors but which can still effectively recognise and block those automated priocesses. THis means that where you can readily confirm that it is a real person to start with then using a CAPTCHA becomes unnecessary.
A login screen has the purpose of identifying a specific person. Only that person ought to be allowed access to what the login is protecting. This means that a login option needs to block anyone and everyone who is not the specific person that the login belongs to. To be effective a login screen has to have some form of flood control built in so as to prevent someone other than the account owner from simply flooding the system with possible logins until they find one that works.
So what do login screens have to do with security codes? Well, I have seen sites that have a login screen that as well as entering the password also requires that you enter a security code. Now if you consider what I have just said about the purpose of the login screen and the purpose of a security code then you will now be wondering the same thing I am wondering - why is that security code there on the login screen?
The login screen without the security code is designed to prevent anyone apart from the account owner from accessing the account. The security code is there to prevent automated processes from being able to correctly fill out the form. The combination therefore is designed to prevent automated processes from being able to log into their own accounts. Now why an automated process would be given an account in the first place I don't know since using a security code (or some other CAPTCHA) on the registration form would prevent the automated process from being able to get an account. Assuming that such a distinction is made during registration then no automated process can have an account in the first place. With each account belonging to a real person and with the login screen without the security code preventing anyone other than the owner from gaining access, the screen already blocks access to automated processes. The security code on a login screen therefore serves no purpose whatsoever since the automated processes are blocked by the same code that blocks someone from being able to access someone else's account.
At least that would be the case if the security codes always worked properly. Unfortunately though they don't always function correctly and some security code processes will block real people from being able to use the form that the security code is a part of. For a one off form this can be a minor inconvenience to the person since they just abandon the broken site and go to some other site that provides the same service but without the broken security code. Where the unnecessary security code option on a login screen breaks though the situation is more than a minor inconvenience since it then prevents the account owner from being able to log into their own account.
This article written by Stephen Chapman, Felgall Pty Ltd.