sign up log in
Want to go ad-free? Find out how, here.

Traditional CAPTCHAs are becoming less effective in the AI era, Tam Nguyễn says

Technology / analysis
Traditional CAPTCHAs are becoming less effective in the AI era, Tam Nguyễn says
t’s not easy for computers to tell humans from other computers posing as humans. Andrii Shelenkov/Stock via Getty Images
It’s not easy for computers to tell humans from other computers posing as humans. Andrii Shelenkov/Stock via Getty Images

By Tam Nguyễn*

CAPTCHAs are those now ubiquitous challenges you encounter to prove that you’re a human and not a bot when you go to log in to many websites.

Websites and mobile apps have long been attacked by bots on a massive scale. Those malicious bots are programmed to automatically consume a large amount of computing resources, post spam messages, collect data from websites and even register and perform user authentication. This state of affairs led to the introduction of CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

As a computer scientist, I see CAPTCHAs as an effective shield for websites to prevent automated attacks, enhance cybersecurity and improve user experience – at least in the short term. For example, denial-of-service attacks create a bottleneck and cause a web server to become overloaded and unresponsive. CAPTCHAs help stop automated bots from executing such denial-of-service attacks and even fraudulent activities such as sending spam messages and creating fake accounts.

Meanwhile, financial institutions rely on CAPTCHAs to protect against bots trying to steal clients’ data. Additionally, CAPTCHAs improve the integrity of online voting and polls by preventing automated bots from manipulating results.

How CAPTCHAs work

CAPTCHAs are designed to show questions or challenges that are easy for humans but difficult for computer bots to answer. In practice, there are several types of CAPTCHAs: text-based, image-based, audio-based and behavior-based.

Text-based CAPTCHAs have been very popular since the early days of the internet. This CAPTCHA type requires users to read a distorted and complicated image of text and enter the answer into a text field. A variant of text-based CAPTCHA asks users to solve simple math problems like “18+5” or “23-7.” However, it was recently solved by advanced optical character recognition algorithms, thanks to the proliferation of deep-learning AIs.

three rectangular graphics, the left and center contain text and colors, the right a photo

CAPTCHAs come in text, audio and image forms. Screencaptures by Tam Nguyen

When the text is tuned to be more distorted and more complicated, actual humans ironically fail to provide a correct answer.

Audio CAPTCHA plays a short audio clip containing a series of numbers or letters spoken by a human or synthetic voice, which the user listens to and then types into a provided text field. The input is verified against the correct answer to determine whether the user is human. Like text-based CAPTCHAs, audio CAPTCHA can be difficult for humans to interpret due to factors such as background noise, poor audio quality, heavy distortion and unfamiliar accents.

Image-based CAPTCHAs were introduced to make it more challenging for bots. Users must identify specific objects from images – for example, selecting all image blocks containing traffic lights. This task leverages human visual perception, which is still superior to most computer vision-based bots. However, this type of CAPTCHA also confuses people in many cases.

Photo of a person riding a bicycle segmented into 16 squares

Image CAPTCHAs often confuse people. Is the rider considered part of the bicycle? Annotated screen capture by Tam Nguyen

Behaviour-based CAPTCHAs analyse user behaviours such as mouse movements and typing patterns. reCAPTCHA, a popular behaviour-based CAPTCHA, requires users to check the “I am not a robot” box. During this process, reCAPTCHA analyses mouse movement and mouse click to differentiate between humans and bots. Humans typically have more varied and less predictable behaviors, while bots often show precise and consistent actions.

AI vs human

CAPTCHA is one more battleground in the seemingly endless battle between AI and humans. Nowadays, AI has become more advanced, using modern techniques such as deep learning and computer vision to solve CAPTCHA challenges.

For instance, optical character recognition algorithms have improved, making text-based CAPTCHAs less effective. Audio CAPTCHA can be bypassed by advanced speech-to-text technology. Similarly, AI models trained on vast image datasets can solve many image-based CAPTCHAs with high accuracy rates.

On the other side of the battlefield, CAPTCHA researchers have created more complex CAPTCHA technologies. For example, reCAPTCHA assesses user interactions and computes their likelihood of being human.

Ironically, humans are helping AI solve complicated CAPTCHAs. For instance, click farms hire a large pool of low-paid workers to click on ads, such as social media posts, follow accounts, write fake reviews and even solve CAPTCHA questions. Their work is to help AI systems behave like humans in order to defeat CAPTCHAs and other fraud-prevention techniques.

The history of CAPTCHAs.

The future of CAPTCHAs

The future of CAPTCHAs will be influenced by the ongoing advancements in AI. The traditional CAPTCHA methods are becoming less effective, thus future CAPTCHA systems are likely to focus more on analysing user behaviour, such as how people interact with websites, making it harder for bots to mimic that behaviour.

Websites might turn to the use of biometric CAPTCHAs, such as facial recognition or fingerprint scanning, though these raise privacy concerns. CAPTCHA can be replaced by blockchain, which uses verifiable credentials to authenticate users. These credentials, issued by trusted entities and stored in digital wallets, ensure interactions are performed by verified humans rather than bots.

Future CAPTCHAs might work alongside AI systems in real time, constantly adapting and evolving to stay ahead of automated attacks.The Conversation


*Tam Nguyen, Associate Professor of Computer Science, University of Dayton. This article is republished from The Conversation under a Creative Commons license. Read the original article.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

6 Comments

The migration to passkeys on trusted devices can't happen soon enough. Do you have any recommendations for people on which organisation to sign in with (Apple, Google, Microsoft, Facebook)

Up
0

Lets never speak of Microsoft and Apple's sign in "features" ever again. The number of people locked out of their personal or study accounts because they also have a work account and vice versa has been far too many. Please tech companies just learn the 'one to many' relationship exists with accounts already and fix the fricken apps. Or Apple's epic bug they had for years of if you don't know the admin root password just press enter with an empty field 6 times and it will not only let you into the system it will ensure a root account is available to you with a null password. Classic stuff.

Lets never migrate to passkeys; the security and account management with these companies is bad enough that just having a functional login auth management that is only partially secure is still leagues away. Device sim swapping etc is trivial while setting up a new computer or phone to access your accounts again (that are locked to a fixed device that degrades in less then a few years and frequently fail before that or can easily be stolen) is still a nightmare. If you think a passkey to get into your key financial and communication data is safe please take a good look at your touchscreen (even using a camera placed just above your head).

Up
0

I've got this! We need to exploit human fallibility.

"Which of the following is syntactically and grammatically correct? Please answer truthfully."

The AI will get it right.

Up
0

This is scary s**t to a nearing 70yo.

I might just foresake digital and return to analog.

I've had experience lately with next iteration CAPTCHA that I negotiated but was pretty confused by on the first encounter.

I have fears that people will not be able to participate in society without risking their most essential privacy and identity to the "security" of a handful of mega off shore corporations with the ethics and behaviours of a newly calved cow with a touch of magnesium deficiency - take you out any way they can unless you leave them alone to do what they want to do.

That may go over the head of many readers here, but in essence it speaks of unpredictability, arrogance, personal danger and too big to be accountable.

Up
0

"I have fears that people will not be able to participate in society without risking their most essential privacy and identity"

That is already the case for many blind people who are often denied access because most captchas are designed to be inaccessible to people with vision difficulties.

So they are literally either denied access to essential services & businesses or forced to go begging to hand all their identity details to random strangers who have no obligation to not copy and use them for identity theft (in fact in NZ the identity theft is practically encouraged).

So be glad it has not happened to you yet. But with more screen time & modern lighting systems that period of relative access can be shortened.

Hmm some tips to avoid normal degeneration that is not disease related:

Keep eyes moist, (dryness deforms the shape so an eye mask at night can help).

Take visual breaks an look at a diversity of distance object.

Always wear glasses even on less sunny days.

Never look at or avoid directly looking at oncoming traffic lights at night (the highbeams on with the new light models are real kickers).

Add a red light dimming app to your phones and computers, e.g. flux, twilight, dim screen and leave it running permanently.

Avoid makeup and certain beauty youth products around the eyes.

Learn to practice eye baths for cleaning out irritants.

Get regular eye checks to catch any oncoming disease or symptoms of more serious medical conditions.

Also that stuff about vitamins and eye sight was a myth cooked up to divert attention away from the use of radar at night. While vitamins help health & immunity in general and virus prevention is especially important (so stay vaccinated esp for the shingles which can especially damage eyesight) there is very little that can be said to directly target the eyes and most vitamin studies show similar results to placebos.

Vaccinations are a significant preventative of long term disablement & many other effects (esp avoiding the shingles hitting the nerves around the eye can save your eyesight) but in general this should be done anyway as the immune system is especially faulty in older ages & for many under physical stress e.g. athletes who push too hard.

 

 

Up
1