Logging In and Captcha

Logging In and Captcha

What is Captcha?

CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) is one of the annoyances that we have learned to take for granted when we browse the internet. Captcha is a method developed to tell humans and bots apart. The main goal is to keep bots from accessing sites or systems where they are not welcome.

What’s the use?

In essence you are assumed to be a bot until you can prove otherwise. This is done by challenging you to perform a task that a computer is supposedly unable to complete. They discriminate by testing typical talents like the ability to recognize letters in a mix of shapes, sizes and directions. Even when they are cropped together or built up out of other shapes.

captcha1

Is it still useful?

Over time, attempts at artificial intelligence have been making progress and programs have been written that were getting better at solving this type of captchas, while increasing the difficulty has made it harder and more of an annoyance for humans. So other methods were developed. In December of 2014 Google Online Security announced switching to “No CAPTCHA reCAPTCHA”, since it no longer deemed the ability to read distorted text as sufficient. Optical character recognition (OCR) software and artificial intelligence (AI) are nearing the level of success that some humans would be jealous of.

You may have noticed other sites switching to more modern versions as well. Like finding numbers that are placed in a background which make the number hard to find for a computer, where a human would spot it easily.

captcha2

Or having to complete a puzzle by shifting pieces around.

captcha3

But for important entrances, I expect we will see a switch to Two-Factor Authentication (2FA), which is more time-consuming and you have to give up some of your personal information like for example a phone number or email-address.

When it comes to websites 2FA typically relies on asking for information that only the person asking for access should be able to have or receive. This can be the answer to a secret question if there has been a previous contact. Usually you will be asked to provide this information when you create an account.

Another common method works if you have provided an email-address or phone number where the site or system can send a code or a URL that has the code embedded. Some banks still use snail-mail to send you a list of authorization codes to use for online payments. In online banking we have also seen card readers that generate an authentication code if you are able to insert the card and enter the PIN.

When the system has an even more strict policy and the contact is on a more personal level, you may even see the use of biometrics to grant access. Other ideas that provide a workable solution would be CryptoPhoto and hardware tokens.

The list of alternative options is very long. As long as a computer is unable to interpret the question or provide the answer in the required way, and if people with different disabilities can. Also it should not be too difficult, and not depend on a certain cultural background.

All in all I think captcha will be replaced by other methods over time and it will become a rare sight soon. Let’s hope that the replacements will be less frustrating for the user, especially the visually handicapped.

Summary

Captcha as the method we know to tell humans and bots apart seems to have outlived its usefulness. This article explains the purpose and discusses some alternatives.

Recommended reading:

Inaccessibility of CAPTCHA

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.