Captcha tests (2/2): Alternatives and Best Practices
In a previous bulletin, I was talking about captcha tests, their reason for being, and how easy it is to bypass the system. I also mentioned that adding more noise to the test also makes it more difficult for human users. However, in my research on different strategies to satisfy security requirements while still allowing the user to get through this step, I found out that a number of variations to the captcha test exist. Here’s a quick overview.
The Classic Captcha
1. MSN sign-up
The Animated Captcha
– The captcha isn’t fully revealed all at the same time and/or its environment is constantly in motion, which increases the difficulty for a robot.
– The wait time required for the letters to reappear if the user missed anything requires greater attention during the entire animation sequence.
The Specialized Captcha
– It’s hard for a robot to understand this test.
– It takes too long for a human to calculate the response after reading a series of numbers and letters.
– Only people familiar with these equations will be able to use the service (If this is the goal, then perfect. If not, it may be better to try and avoid losing these users).
– The responses to this kind of captcha test are often simple to avoid increasing the risk of error. They are therefore unreliable. For example, if the response is 1.748242149, should you round up, and to what decimal place? (the correct answer is 0…)
The Language-Based Captcha
4. Language-based Captcha: What is the opposite of hot?
– It’s hard for a robot to understand the question’s syntax and to make the link between the numbers and the expected response or, in the second case, to make the distinction between “opposite” and hot”.
– On easy questions, users should be able to answer quickly and easily.
– Writing simple questions that elicit a response without hesitation can take a lot of work.
The Recognition-based Captcha
– It’s hard for a robot to recognize shapes in photos and identify them; more so as the detail and quality of the photo weaken, making way for greater margin of error.
– Be careful with this option too. People may not always automatically recognize an animal, for example. You can’t always assume that users will find the answer to these “puzzles”. It’s important to always have the option to obtain another captcha that is more in line with something the user knows. In fact, this is true for all captchas.
As you can see, there’s a number of different kinds of captcha tests and we’ve reviewed, fairly briefly, their respective strengths and weaknesses. Each captcha test has a different look, involves the user in a different kind of interaction and also calls upon different cognitive abilities: language, shape recognition, reasoning (calculation, …).
There are ways to analyze responses and to design forms that give a fair idea of whether the user filling in the form is human or not. But, in my opinion, a robot’s designer could easily breach all of them. For example, you could hide a field from the user that would be filled out by a robot, but this could be breached. It’s much easier to uncover the pattern in these practices than it is to model a cognitive method using algorithms.
So even if it might seem a little strange to have to prove your humanity, it’s better to not standardize the type of captcha test you use. Continue using a variety of these tests, even within the same service. Let’s take, for example, service Y: it has different captcha tests (selected at random) at each access point of its sign-up page. It would be harder, if not impossible, for a robot to breach this system. It would have to decide which action and response are required by each test. That being said, it is important to create “standards”. The difficulty is with the type of test and people need to be able to get through this step quickly and easily. Above all, it shouldn’t become an obstacle to accessing your online service. Which is why it’s so important to be familiar with your users’ characteristics and what cognitive mechanisms are required to pass the captcha test.