As bots get better at beating CAPTCHA, developers seek easy-to-use alternatives.
For years, CAPTCHA has been the first line of defense for websites attempting to ward off spambots. But at a time when bot technology is beginning to rival human faculties, many Web developers have begun seeking a better way to distinguish real users from nefarious spammers.
Perhaps you don’t recognize the name, but if you’re on this website right now, you are no doubt familiar with CAPTCHA. It’s the security feature, usually located at the bottom of Web forms, that asks you to decipher a series of garbled numbers and letters, and retype them into an entry field.
Developed in the late ’90s and early 2000s, CAPTCHA took advantage of the human eye’s sophistication to outwit spambot programs that try to pose as humans and gain access to websites.
But you may have noticed that these ciphers have become increasingly difficult to decode in recent years. It’s not just you. The writing is becoming more and more warped to combat the continued refinement of bot technology, some of which is now able to outwit many simpler CAPTCHAS. This has made things even worse for the blind and visually impaired, who’ve been bemoaning the security protocol for years.
Not only has CAPTCHA become burdensome for users, it is quickly losing its ability to serve its purpose. This week, Google announced that a new computer algorithm it created for deciphering street numbers on Google Maps can also be used to translate even the most difficult CAPTCHA codes.
“Turns out that this new algorithm can also be used to read CAPTCHA puzzles—we found that it can decipher the hardest distorted text puzzles from reCAPTCHA with over 99 percent accuracy,” writes Google’s Vinay Shet. “This shows that the act of typing in the answer to a distorted image should not be the only factor when it comes to determining a human versus a machine.”
Since discovering this fact, Google has continued to have its users fill out CAPTCHA forms as a way of studying other human traits that can be applied to new bot filtering technology. Still it’s clear that CAPTCHA as we know it will eventually be phased out. Here are some of the most promising alternatives.
Frequently, sites are using simple math problems like “3 + 4 = ?” as an alternative to CAPTCHA. This has several added benefits. The visually impaired, using screen reader technology, can solve these problems just as easily as people with 20/20 vision. And for most, it would actually be quicker than having to squint and stare at warped CAPTCHA characters.
But this is no silver bullet. It’s relatively easy to create spam bots that can read and solve these problems. A possible solution to this would be to increase the complexity of the math problem, but that runs the risk of diminishing a website’s accessibility to users with limited math skills or cognitive disabilities.
Some developers are looking toward the rise of mobile gaming as they seek a CAPTCHA replacement.
For instance, an Australian company unveiled FunCAPTCHA last year. Their technology works by having users play short little games. A person might be asked to turn a crooked picture right-side up or identify a computer generated female face. The games are relatively easy and take just seconds to complete, but they are significantly more difficult for spambots to complete. However, the games will do little to help the visually impaired.
3. Text message verification
Text message verification is among the most reliable spam filters from a security standpoint. That’s why many banks and services like Google Voice use it. When you set up or change an account, a website asks for your phone number, then texts you a short verification code to enter on the website. It’s nice and easy … unless you don’t have a phone. There is also email verification, but procuring a phony email address is getting easier for spammers.
4. Timing Trick
Some developers have come up with CAPTCHA alternatives that require nothing of human users. One such example is the Timing Trick.
As humans, it usually takes us a few seconds or minutes to fill out most Web forms, but spambots complete them instantaneously. According to Scientific American, some security experts are using this trait against spambots, setting a minimum amount of time to complete forms. Any bot trying to instantaneously submit a form is rejected as obviously not human.
This method is ideal for user as it requires nothing extra from them, but it’s also relatively easy for spammers to reconfigure their bots with a delay to keep them from acting too fast.
5. The Honey Pot
Another security measure that doesn’t require an extra verification step by humans is the so-called “Honey Pot.” Also known as the Hidden-Field Scam, this method attempts to trick spambots into filling out an entry field that is invisible to most human users.
To do this, website creators use CSS coding to create a secret entry field on the form. They label it something tempting like “email address” in hopes the spambot will answer it. However, this field is invisible to human users, who of course will not enter anything. If text is entered, the website will be able to identify the user as a spambot.
This seems like a clever solution, but again it’s not perfect. Not all users have CSS turned on and auto-fill features on some browsers (like Safari) will fill in these forms.
Although there are plenty of promising alternatives out there, there is no perfect solution to the spam filtering process. With sophisticated spambots beginning to mimic human capabilities, it’s hard to have an effective security protocol that doesn’t limit accessibility. So don’t expect CAPTCHA to disappear entirely any time soon.