CAPTCHA Authentication

What Is CAPTCHA Used For?

CAPTCHA is used by any website that wants to decrease the presence of bots on the site. It includes:

Maintaining poll accuracy: CAPTCHA security can prevent the skewing of polls by authenticating each user to ensure each vote is entered by a human. However, this makes the time required to cast a vote longer than normal which can deter people from voting multiple times.

Limiting registration for services: Services can use CAPTCHA to decrease the amount of bots that create fake accounts. By restricting account creation, it prevents a waste of services and reduces opportunities for fraud.

Preventing ticket inflation: Systems that sell tickets can use CAPTCHA to prevent scalpers from purchasing large amounts of tickets for resale. It can also be used to prevent false registration for free events.

Preventing false comments: CAPTCHA authentication can prevent bot accounts from spamming comment sections, message boards, and news feeds. CAPTCHA can also reduce online harassment.

How Does CAPTCHA Work?

Traditional CAPTCHAs include distorted or overlapping letters that are open to human interpretation and prove to be difficult for a bot to comprehend. Access is prevented until all the letters are properly identified.

This type of CAPTCHA generally relies on a human’s ability to interpret and recognize patterns. Bots on the other hand, can only follow set patterns or input randomized characters. The limitation a CAPTCHA presents makes it highly unlikely that a bot will guess the right combination of letters.

Since CAPTCHA was introduced, bots that use machine learning have been developed. Machine learning bots are able to identify patterns in traditional CAPTCHAs with algorithms in pattern recognition. This development led to newer CAPTCHA methods that are based on more complex tests. For example, reCAPTCHA, a popular CAPTCHA service run by Google, now requires clicking in a certain area and waiting until the timer runs out.

CAPTCHA Types

Modern CAPTCHAs fall into three main categories—text-based, image-based, and audio.

Text based CAPTCHAs

Text based CAPTCHAs are the original way in which human verification happens. Traditionally, these CAPTCHAs use known words or phrases, or a random combination of digits and letters. Some text based CAPTCHAS can also use variations of capitalization.

The text based CAPTCHA presents these characters in a way that is estranged and requires a human interpretation. The estrangement can involve scaling, rotation, and distortion of characters. It can also involve overlapping characters with graphic elements such as background noise, lines, arcs, or dots. This estrangement can prove to be difficult for bots that have insufficient text algorithms but at times can also be difficult for humans to guess as well.

Techniques for text based CAPTCHAs:

• Gimpy: chooses a random number of words from an 850-word dictionary and provides those words in a distorted fashion.
• EZ-Gimpy: a variation of Gimpy but only uses one word.
• Gimpy-r: selects random letters, then distorts and adds background noise to characters.
• Simard’s HIP: selects random letters and numbers, then distorts characters with arcs and colors.

CAPTCHA Image

Image-based CAPTCHAs were developed with the goal of replacing text-based CAPTCHAs. CAPTCHA images generally use graphical elements such as pictures of animals, shapes, or scenes. With image CAPTCHAs, users are prompted to either select images matching a theme or images that don’t match.

While image based CAPTCHAs are easier for humans to detect, it presents difficult accessibility issues for visually impaired users. For bots however, image based CAPTCHAS are more difficult to interpret than text because these tools both require image recognition and semantic classification.

Audio CAPTCHA

Audio CAPTCHAs were developed to provide accessibility to visually impaired users. This type of CAPTCHA is often used in a combination of text and image CAPTCHAs. Audio CAPTCHAs present audio recordings of a series of letters or numbers which the user then enters.

Audio CAPTCHAs rely on bots not being able to recognize relevant characters from background noise. However, similar to text based CAPTCHAs, this can also be difficult for humans to interpret.

Math or Word Problems

These CAPTCHA systems ask users to solve a simple mathematical problem such as, “4+4” or “13+5”. The assumption is that a bot will find it difficult to perform a simple math problem and give a response.

Word problems are another variant to this CAPTCHA. Essentially it asks the user to type the missing word in a sentence, or complete a sequence of several related terms. While these types of CAPTCHAs are accessible to visually impaired users, it may also be easier for bots to solve.

Social Media Sign On

A popular and preferred alternative to CAPTCHA authentication is requiring users to sign on through their social media profile such as Facebook, Twitter, & LinkedIn. The user’s details will automatically be filled in and authenticated using SSO (Single Sign On) verification provided from the social media website.

This type of authentication proves to be easier than traditional CAPTCHA verifications and is a more convenient registration mechanism.

What is reCAPTCHA?

reCAPTCHA is a free service Google offers as a replacement for traditional CAPTCHAs. Like CAPTCHA, some reCAPTCHAs require users to enter images of text that computers have trouble deciphering. Unlike regular CAPTCHAs, reCAPTCHA sources the text from real-world images: pictures of street addresses, text from printed books, text from old newspapers, and so on.

What Are reCAPTCHA Tests?

Google has expanded the functionality of reCAPTCHA tests so that they no longer have to rely on the old style of identifying blurry or distorted text. Various reCAPTCHA tests are used to combine information:

• Image acknowledgment
  • Users are presented with 9 or 16 square images.
  • Images may all be from the same large image, or they may each be different.
  • A user has to identify the images that contain certain objects, such as animals, trees, or street signs.
  • If their response matches the responses from most other users who have submitted the same test, the answer is considered “correct” and the user passes the test.
• Checkbox
  • This reCAPTCHA test takes into account the movement of the user’s cursor as it approaches the checkbox.
  • Even the most direct motion by a human has some amount of randomness on the microscopic level: tiny unconscious movements that bots can’t easily mimic.
  • If the cursor’s movement contains some of this unpredictability, then the test decides that the user is probably legitimate.
  • If the test is still unable to determine whether or not the user is a human, it may present an additional challenge, such as the image recognition test
• General client conduct evaluation (no client association by any means)
  • The latest versions of reCAPTCHA are able to take a holistic look at a user’s behavior and history of interacting with content on the Internet.
  • The program can decide based on those factors whether or not the user is a bot, without providing the user with a challenge to complete.

Are CAPTCHAs and reCAPTCHAs Enough For Stopping Malicious Bots?

There are some bots that can get past a CAPTCHA. According to researchers, it has been documented that there are ways to write a program that beats the image recognition in CAPTCHA. Attackers also use click farms to beat the test, which is essentially thousands of low-paid workers solving CAPTCHAs on behalf of bots.

How Are CAPTCHA and reCAPTCHA Related to Artificial Intelligence (AI) Projects?

Millions of users are able to identify hard-to-read texts, and pick out objects in blurry images. The data from these CAPTCHAs are fed into AI computer programs so that they become better at those tasks as well.

Computer programs struggle with identifying objects and letters in different contexts, simply because context can change almost instantaneously in the real world. For example, if we take a stop sign which is a red octagon with white letters reading “STOP”, a computer could recognize a shape-and-word combination like that fairly easily. But, if that stop sign is in a photo, it may look different than the simple description depending on the angle, lighting, or context of the photo, etc.

reCAPTCHA plays its role by getting humans to identify objects and texts, which in time provides enough data to build a robust AI program.

What is a Turing Test? How are Turing tests relevant to CAPTCHA tests?

A Turing test assesses a computer’s ability to mimic human behaviour. Alan Turing, who created the Turing test in 1950, was an early computing pioneer. The way for a computer to pass the Turing test is if its performance during the test is indistinguishable from that of a human. The Turing test is not dependent on getting answers correct but rather how “human” the answer sounds regardless of whether they’re right or wrong.

A CAPTCHA is really the opposite of a Turing test as it determines whether a supposed human user is actually a computer program or not. It does this by assigning a brief task that people tend to be good at and one that computers struggle with.

What Are The Drawbacks of Using CAPTCHAs or reCAPTCHAS to Stop Bots?

Bad user experience: A CAPTCHA test can interrupt the flow of what users are trying to complete, which gives them a negative view of their experience on the web, and leading the user to abdon the webpage altogether.

Not usable for visually impaired individuals: An issue with CAPTCHAs is that they solely rely on visual perception. This makes it difficult not just for people who are legally blind but also for anyone with any kind of impaired vision.

These tests can be fooled by bots: As we mentioned, CAPTCHAs are not fully bot-proof and should not be relied upon for bot management.