appsforall
appsforall_blog.jpg

Blog

Our recent blogs


We are all human, but some are more human than others! A brief history of CAPTCHA

An image of  Sophia , a social humanoid robot developed by Hanson Robotics.

An image of Sophia, a social humanoid robot developed by Hanson Robotics.

So, you want to login to your email, social media, favourite online retailer, or submit a form on some other website.

Most of the time, entering all the details is relatively straightforward, but there's a good chance you'll be greeted with another request...are you a robot?

This might seem like an odd question, but it's a vital security measure designed to keep you and your information safe.

The problem? Well, the typical human tests used in this scenario haven’t always been accessible to all humans...

What is CAPTCHA?

CAPTCHA or the 'Completely Automated Public Turing test to tell Computers and Humans Apart' is a challenge-response test that was developed in the early 2000s by an engineering team led by Luis Von Ahn at Carnegie Mellon University.

The thinking behind the tests was to stop spam crawlers and bots from wreaking havoc and gaining unfair advantages across the internet.

The original tests were presented in many different ways such as an image of a word or string of characters that was difficult to decipher, a simple logic-based question (is grass green or blue?) or a basic mathematical question (what is 4+2?).

The use of images meant that these tests were a challenge only a human could solve. Adding a test to a site prevents things like scalpers from using a computer program to buy every concert ticket on a website in a fraction of a second.

An early example of CAPTCHA.

An early example of CAPTCHA.

CAPTCHA’s lack of accessibility

Arguably the biggest problem with the original CAPTCHA solution was how hard the images were to decipher – for everyone!  So for someone with a sensory or cognitive impairment they were nearly always impossible. E.g. for someone who is blind, an image-based CAPTCHA couldn’t be overcome.

Thus, reCAPTCHA was introduced with the addition of an audio CAPTCHA, which featured a distorted audio clip for blind or vision impaired users.

The introduction of reCAPTCHA with audio functionality.

The introduction of reCAPTCHA with audio functionality.

Even so, reCAPTCHA remained a burden for people with poor hearing and vision, dyslexia, cognitive impairments, and those using assistive technologies. For all users these remained a hurdle in their digital transaction.

Overcoming the security pitfalls of CAPTCHA

Along with overlooking accessibility, CAPTCHA also struggled to deliver on its fundamental promise - preventing scams and scalpers.

In 2014, a Google analysis found that artificial intelligence could crack even the most complex CAPTCHA and reCAPTCHA images with 99.8 percent accuracy - rendering the program useless as a security feature.

This, in addition to being inaccessible for many, led to Google replacing reCAPTCHA (image-text or audio) with No-CAPTCHA/reCAPTCHA v2 - a simple checkbox that states “I am not a robot”.

reCAPTCHA featuring a simple ‘I’m not a robot’ checkbox.

reCAPTCHA featuring a simple ‘I’m not a robot’ checkbox.

The reason why this simple solution manages to provide ample security is because when you click the checkbox, a whole bunch of useful information is sent to Google, such as your:

  • Country

  • Timestamp

  • IP address

  • The way you move your cursor just moments before clicking the checkbox

  • The way you were scrolling the page before clicking the checkbox

  • The time interval between different interactions within the browser

Assessing all of those bits of information makes it possible to determine a user’s human status. If you’ve submitted 400 forms from the same IP address in 0.2seconds… you’re probably not human!

Another development was released in October 2018, when Google introduced reCAPTCHA v3.0, which helps detect suspicious traffic on a website without any user interaction – removing the “Are you a robot?” question for the majority of users.

Instead of showing a CAPTCHA test or a checkbox, reCAPTCHA v3 scores the interaction by running an ‘adaptive risk analysis.’ The score is based on the factors listed above, captured in the background of the site, to assess how suspicious a user is.

The website administrator can decide what score they want users to have before they can access the site. This latest iteration provides a better user experience, as minimal effort is required by humans to confirm their authenticity.

Being more human and more accessible

As with many digital innovations, CAPTCHA didn’t get accessibility right the first time. But with iterative fine tuning, the experience has improved and become inclusive of a greater number of users over time.

Nonetheless, CAPTCHA generally still has an impact on the some users because it stands between them and the task they are trying to accomplish. As a result, there is a chance CAPTCHA forces users to complete unfavourable tasks that are beyond their ability, control, or comfort zone.

It remains just one of the potential “human” tests that can be used to protect sites and forms. Alternatives include:

HoneyPots

HoneyPots are deceptions or traps implemented to attract bots, without ever being noticed by human users. With this solution, an extra field is included in the web form and then hidden from humans with code. These hidden fields usually contain a label that reads “If you are a human, do not fill in this field”. This field will be visible to bots that will then attempt to populate the field – betraying their non-human status.

Timestamps

Timestamps work on a simple principle. The system will judge whether you are a human or bot by recording the overall time it takes to fill out the form. In most cases, a bot will populate a form instantly – humans usually take more than a few seconds to type in the required information.

PlayThru

Combining intuitive puzzles with proprietary algorithms, PlayThru was designed to be a more simple and user-friendly method of security than CAPTCHA. PlayThru faces you against a simple game like “fill your bag” or “put food on your plate” (see below) to make things a little more exciting.

An example of the PlayThru test.

An example of the PlayThru test.


Key takeaway

CAPTCHA solved a significant internet security problem, and one that continues to challenge digital developers to this day. But solutions to problems are at their best when they don’t create new problems or challenges for users. Designing for accessibility shouldn’t be an afterthought. Including all users in your design is an important step in delivering the best possible solutions for everyone. Imagine a world that never presented those hard to decipher images in the first place?

Darren MariadasComment