CAPTCHA Alternatives for a commercial product?
Right now I am working on a project that will be a paypal-esque financial application, and of course security is a big issue with this one.
We had a great meeting talking about security measures that could be added to the forms to ensure that only real users will be able to log-in.
I collected the ones I could think of based on the W3C whitepaper and own experiences and this is the list with pro and contra for each of them:
CAPTCHA (http://www.captcha.net/)
This method generates “imagery with distorted words which the user is asked to enter”:http://www.captcha.net/cgi-bin/gimpy.
The most common method it using “GIMPY” or .NET/Java alternatives:
Pro:
* Easy to implement
* Common control in Frameworks
Contra:
* hard to read for visitors with impaired vision
* impossible to use for blind visitors
* Heavy on server traffic / resources
* Already cracked by some scripts:
** http://www.cs.sfu.ca/~mori/research/gimpy/
** http://sam.zoy.org/pwntcha/
An other, more clever version is ESP-PIX which uses a “logical connection of images and text”:http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix
Pro:
* Uncracked to date, not counting social engineering
* Relatively easy to implement
* Localisation easier – if the images are universally known
Contra
- impossible to use for blind visitors
- Heavy on server traffic / resources
Lastly another CAPTCHA is ESP-TEXT which uses “an image with several words and imagery”:http://www.captcha.net/cgi-bin/esp-text
Pro: - Uncracked, not counting social engineering
Contra:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
Logical Puzzles / Multiple choice questions
These are multiple choice questions that change the question and the order of answers on every reload of the page. The questions need to be easy, and only understandable by a human:
Which of the following is a bird:
* Alligator
* Elephant
* Eagle
It is immensely important to change the order on each reload, as otherwise any script would crack this in 3 attempts tops.
Pro:
- accessible to all except for dyslexic users
- easier to implement and less traffic – heavy than image generation
Contra:
- high maintenance, as there needs to be a high amount of questions
- questions must be well chosen on international pages or localized to the different languages
h2. Sound Output
Instead of a visual (hard on the user) or textual (easy to crack) solution, you could add an audial output that asks the user to type what he hears
Pro:
- Accessible to all but the hard-of-hearing or users without a sound-output
Contra:
*Expects users to know how to write a word they hear
* Not feasible in public places like internet cafés
* Expects sound output available on the client computer
* High traffic / maintenance
* Needs distortion of the sound to prevent automatic recognition
Re-using federated identity systems like Microsoft passport or other single sign on products
Pro:
- centralized security
Contra:
- cost
- reliance on third party
h2. Multi – channel distribution
This involves sending the user an SMS to confirm or ask him to call a hotline to confirm his identity
Pro:
- safest approach
Contra:
- reliance on availability of other distribution channel
- high maintenance
- slow log-on process
Now, my personal favourite is the multiple choice idea with a simple question,
however the issue is that the application will be localised in many languages,
which means that it could become a maintenance nightmare. This is probably one of the biggest issues, where you need to push your accessibility cap a bit further back to allow the security one to fit aswell.
Is there anything you could think of that I forgot?
December 18th, 2005 at 8:36 pm
December 15th, 2005 at 7:05 pm
What about a combination of a logic puzzle (though not really puzzling) and ESP-PIX? You would have for example an image of a greyhound and a cat with an alt text saying “A grayhound staring at a cat” and a selection box with “dog” and “cat” in it.
December 19th, 2005 at 12:17 am
Perhaps I’ve missed something, but wouldn’t requesting an email address to which a confirmation link is sent be an option too?
December 19th, 2005 at 2:11 am
Be careful with those multiple choice questions, a smart usage of google and maybe a bit of text preprocessing can significantly increase the chance of a correct answer. There are some programs which are as good as humans on word association based purely on huge text corpora too. Furthermore, answering these questions is easy; really easy, so an exhaustive social engineering attack might be possible too. I mean, just imagine a “quiz” site which “Tests Your IQ now!” And generating such a large set of questions is probably infeasible anyhow.
Don’t go for sound; it’s not always available (its usually not actually in many places such as colleges and quite a few simplistic home-Utility PC’s). People might not have in enabled either.
Image recognition is probably still your best bet. You could go for the standard text captcha; these will work fine if you’re careful and spend a lot of time thinking about it. You could also ask people to for instance identify the distorted face (distort a face but not the others), or combine some element of logic into your distorted text. Basically though, make sure you log all attempts and have some basic sanity checks to identify suspicious behaviour. Anybody cracking your CAPTCHA is liable to make a few too many requests, or too many mistakes, or make too many requests too quickly, or use a weird useragent, or any combination of those. Make sure you make it easy to track those kind of problems and identify the user accounts involved. email verification is always good in addition if your really worried. That also allows some extra sanity overview; it’s very unlikely someone has a bot that can crack captchas and access to a wide variety of mail servers.
December 19th, 2005 at 10:43 am
Other things I’ve seen that seem to work are a simple math question (3 + 4 = ?), when proberly obfuscated via Javascript, or even a simple checkbox. ‘This is not spam’ (like Jon Hicks uses)
January 9th, 2006 at 3:13 am
As I’m writing a brief article on captchas and accessibility, I found this interesting. It seems like there is no ideal solve yet – audio captchas may work for those using screen readers but not those who a deaf-blind. Multiple choice questions may work for those who are deaf-blind, if not cultural or socioeconomic biased, but not for those with cognitive impairments. Perhaps is offering a variety of captchas the current “accessible” solution, until a more “ideal” solution is found, the best we can do?
August 21st, 2006 at 8:33 pm
Look at http://www.protectwebform.com/ this is a captcha service, supports reload button, audio,
is customizable
October 24th, 2007 at 4:51 pm
Chris!
Your captcha is vulnerable (as you can see from my Captcha bypass tests). This captcha is vulnerable to my MustLive CAPTCHA bypass method. You need to use more secure protection.
This captcha will be in my Month of Bugs in Captchas (websecurity.com.ua/1461/)
A lot of captchas (image and text and logical also, like your one) are vulnerable. Including ESP-PIX which is vulnerable to my method (so it is already no more “uncracked” as you wrote – many captchas which are immune to OCR are vulnerable to my bypass method). And a lot of captchas will be in my new project.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
May 20th, 2008 at 3:24 pm
How about this? A Captcha alternative that relies on sarcasm!
http://www.solstice.co.il/2008-05-19/introducing_slauth_our_new_anti_spambot_solution