A completely automated public Turing test to tell computers and humans apart (CAPTCHA) is designed to limit access. If you're a human, you can pass these tests and gain access. If you're a bot, you can't.
Almost all of the top 1 million websites around the world use some form of CAPTCHA. But some say the technology comes with so many limitations that it should be eliminated.
Who is right? Who is wrong? And what should you do to protect your company?
Let's dive into what CAPTCHAs are, how they work, and why you might consider adding them to your web-based resources.
What Is CAPTCHA?
You navigate to a website, and you want to do something when you arrive. Perhaps you want to log in, make an appointment, schedule a purchase, or leave a comment. Before you can do anything, you must pass a tiny test. That examination is typically in CAPTCHA form.
CAPTCHA tests have been around since the mid-1990s, when website owners needed tools to keep spammers from ruining the user experience.
Now, web designers might use CAPTCHA code to:
- Prevent. Code could keep bots from flooding blogs and comment sections with notes about websites, sales, movies, and more. The code could also prevent bots from submitting a form (like a vote) more than once.
- Protect. If your site offers a signup, a CAPTCHA could keep bots from requesting hundreds or thousands of usernames/passwords. This same technique could shield your web address from spammers.
- Shield. CAPTCHA code could keep bots from launching dictionary attacks on your password systems. Email worm protections come with code too.
We've all encountered CAPTCHA at least once as we've scrolled through websites and attempted to fill out forms. Anything that involves solving a puzzle or passing a test before you can move forward is an example of this technology. But plenty of CAPTCHA types exist, including some you may not have seen before.
A CAPTCHA test could involve:
- Images. You're shown a photograph of something you recognise (like a street corner), and you're asked to tap on everything that fits a category (like sidewalks).
- Numerals. The test shows you a simple mathematical equation, and you must solve it.
- Sound. Someone speaks a series of letters and numbers, and you must enter them properly.
- Text. You're shown a series of letters, and some kind of interference (like a line or a bubble) makes reading it somewhat challenging. You must enter the right letters in the proper order.
CAPTCHA tests can also be remarkably creative. You might be given a sentence with a word or two missing, and you must complete it according to the instructions. Some designers even use puzzles, such as requiring users to put non-flying objects on the ground.
How Do CAPTCHA Tests Work?
Whether you're using images, numerals, words, or games, you're presenting a human with a challenge that a computer can't complete. The idea that humans are smarter than computers underpins every CAPTCHA test.
Programmers can force computers to react in one of a few ways when presented with a challenge. For example, code could tell the bot to always enter "554" in an open box. But CAPTCHA is always changing, even on the same site, so pre-programmed techniques won't work. For an attack to succeed, the code must always change too. And the average hacker doesn't have enough time to make that happen.
Benefits & Drawbacks of CAPTCHA Code
Bots can ruin your website experience for users. No one wants to wade through comments sections filled with automated responses. And your security team doesn't want to handle the added risks that password guessing poses. If security and user experience are critical, CAPTCHA makes sense.
But real drawbacks exist, including:
- Security susceptibility. Programs with machine-learning capabilities can crack even well-designed CAPTCHA code. If you place the tests on your site and neglect follow-up, you could leave your company open to hackers. A dedicated attacker could also hire humans to solve your code and gain access.
- Legislative requirements. In most states in the US, you must make your site accessible to everyone, including those who can't see or hear. If your CAPTCHA tests rely solely on visual or audible cues, assistive technologies can't interpret them. You effectively block people from using your site, and you could incur a hefty fine.
- Language barriers. Researchers say non-native English speakers often struggle with CAPTCHA. They need extra time to recognise English letters, and they may not understand how to complete sentence-based tests. If your site is accessible to people who speak other languages, you could be excluding members of your potential audience.
- Cultural limitations. Challenges that work in America may not work in Greece. For example, if your challenges involve traffic signals in the United States, you may baffle your foreign visitors.
Balancing security with accessibility isn't always easy. CAPTCHA makes the task exponentially harder.
CAPTCHA Test Alternatives
A standard CAPTCHA test can make it harder for people to enter and use your website. But you're not required to either use the technology or eliminate it altogether. Lean on other options to help you secure your resources.
A No CAPTCHA/reCAPTCHA system offers two choices. A standard user can click one box that says, "I am not a robot," and then proceed normally. If the system detects activity that seems somehow suspicious, a CAPTCHA box appears and the user must pass the challenge.
You could also lean on spam detection tools. These programs look over the data users submit and flag anything suspicious for your approval or deletion. A system like this is invisible to your users, but it keeps your site safe and secure.
At Okta, we believe in security that protects data without burdening users. We'd love to tell you more about how we can help you balance security and usability at your organisation. Contact us, and let's start a conversation.
References
CAPTCHA Usage Distribution in the Top 1 Million Sites. (February 2021). BuiltWith.
Home. CAPTCHA.
CAPTCHA Can Ruin Your UX. Here's How to Use It Right. (November 2020). Auth0.
Everything You Need to Know About CAPTCHA. (April 2017). Medium.
How Good Are Humans At Solving CAPTCHAs? A Large-Scale Evaluation. (2010). Stanford University.
Why CAPTCHAs Have Gotten So Difficult. (February 2019). The Verge.
In Search of the Best CAPTCHAs. (March 2011). Smashing Magazine.