When the internet was first gaining massive popularity in the early 2000s, it was flooded with bots. The solution to this was a variation of a Turing Test called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), a challenge-response test used to determine if a user is human. Early CAPTCHAs involved identifying obscured images of letters and numbers, but these images, while difficult for bots to bypass, were often hard or impossible for humans to decipher as well. Despite the difficulty of these tests, bots could still defeat them using machine learning while humans struggled, meaning CAPTCHA often decreased user experience while failing to prevent bots from entering a website. In 2009, Google acquired a new version of CAPTCHA called reCAPTCHA and redesigned it to increase user experience by reducing the amount of user interaction needed to verify a user as human. While reCAPTCHA is an improvement to its predecessor in usability, it remains just as vulnerable to AI using machine learning to bypass these Turing Tests.

Why reCAPTCHA Will Soon be Obsolete in Times of Generative AI

Now, Google’s reCAPTCHA uses a so-called “invisible CAPTCHA” that claims to be “tough on bots, easy on humans” and has yet to be cracked by AI, however, some computer scientists claim they could get past it. How this CAPTCHA-less reCAPTCHA system works is by analyzing users’ behavior on a webpage and giving them a score between zero and one. Users with lower scores are more likely to be bots, and those with higher scores are more likely to be humans. In theory, this system should be tougher on bots as Google claims, but it is flawed because websites set their own score threshold for what is considered a bot or not. Because websites want to avoid their users being mistaken for bots, they tend to relax this threshold, making it easier for AI using machine learning to eventually get through. With AI products like ChatGPT and Dall-E becoming more and more advanced, it’s only a matter of time before modern generative AI such as these can consistently fool Google’s current reCAPTCHA system, making it obsolete.

Generative AI products like ChatGPT are based on Large Language Models (LLMs), which is a machine learning system that processes terabytes of data, often taken directly from the internet, and learns patterns and associations from the dataset in a process called training data. But just how good is generative AI at fooling reCAPTCHA? In 2013, researchers at Vicarious, an artificial intelligence firm funded by Amazon’s founder Jeff Bezos and Facebook’s Mark Zuckerburg, first announced it had designed a generative AI that could defeat Google’s reCAPTCHA test with 90% accuracy. Google responded by making their reCAPTCHA test more difficult, but Vicarious software could still pass it 66.6% of the time. By 2019, researchers from the University of Indiana had designed software that could defeat Google’s reCAPTCHA v2 with a 92.4% success rate and within an average time of 14.8 seconds. They claimed that their AI could solve reCAPTCHA with dynamic images better than humans. Below is a video of their reCAPTCHA-breaking software in action.

How humanID’s SSO Works

Although Google’s current reCAPTCHA system (called reCAPTCHA Enterprise) has yet to be cracked by AI, with the capabilities of large data analysis and machine learning, it’s not a question of if it will happen, but when. It is clear that reCAPTCHA will soon not be enough to prevent bots from accessing websites in times of generative AI, but there are better alternatives out there, such as humanID’s anonymous one-click authentication system.

Why humanID is a Good Alternative to reCAPTCHA

humanID is a non-profit organization that has developed a one-click authentication service that provides safety, anonymity, and accountability. Like some other authentication services, humanID requires the use of a phone number for users to authenticate themselves, but unlike other authentication services, humanID never saves users’ phone numbers to its servers and never shares them with the accessed website. Instead, the phone number is hashed with a random identifier and securely deleted soon after the user accesses the website. This makes humanID a safer option for users, but how does it prevent bot accounts? Because humanID does not allow for users to make duplicate accounts with the same phone number, this drastically reduces the prevalence of bot accounts in websites that use humanID’s authentication system. humanID is a great alternative to Google’s reCAPTCHA because it has the benefit of remaining easy on humans, while truly being tougher on bots.