Alternatives to CAPTCHA

By Alan Zu

December 30, 2020

CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” is a test that is meant to differentiate real human users from bots that are using whatever services the CAPTCHA is protecting. You’ve dealt with them before. While there are a number of different CAPTCHAs that are used, the most commonly used in the current era is reCAPTCHA.  And this current iteration definitely has its merits, such as ease of implementation from a trusted source, but unfortunately, the ineffectiveness of CAPTCHA is slowly becoming more and more apparent , so developers are starting to look for alternatives.

Why CAPTCHA is, and always has been, kinda useless

CAPTCHAs tend to ask users to decode some sort of visual or audio puzzle that computers have a harder time completing. ReCAPTCHA in particular asks a user to select images that match the prompt. The logic behind this is that robots cannot recognize certain objects, especially from differing angles, which although is relatively intuitive to human beings, is actually somewhat difficult for bots. This way, bots will not be able to enter, and therefore, abusing websites for nefarious purposes should be mitigated.

However, CAPTCHAs have always had a loophole. CAPTCHA is usually implemented to deter users from creating an absurd amount of accounts through the use of bots, but there are ways around this. You could hire people to solve 1000 captchas for under 5 dollars . After “proving that you are human,” you could use a bot afterward to do whatever you wanted anyway.  Therefore, although CAPTCHA serves its purpose of deterring bots, it fails to prevent other measures of extremely fast labour. Moreover, if robots could crack CAPTCHAs by themselves, they could cut out the middleman and automate things at an even higher pace. It just so happens to be that this is reality. Google has developed technology bots that solved CAPTCHAs with 99% accuracy.  If a robot can crack CAPTCHA even once reliably, then the CAPTCHA is essentially useless, as a bot could just try a hundred times in the span that it takes you to screw up one and do it again.

The Alternatives

Honeypot Method

This is one of the more clever methods on this list, and if it weren’t for the fact that it involves a bit more work on the developer side, it would easily be one of the best. The honeypot method tricks spambots into filling out forms that are hidden via code. The best part about this is that it does nothing to stop workflow.

In theory, the honeypot method is relatively simple. On the developer’s side, it could be as simple as adding in a line of code that you can find on Github. However, there are some issues with this. For one, some browsers will automatically attempt to fill out these forms, which could cause issues. But that’s just a minor inconvenience as a user could disable auto filling forms in their settings or just use a different browser.The potentially more problematic issue at hand is that more complex bots can bypass this method. However, developers can stop most of these bots by being creative and clever with how they implement their honeypot.

Two Factor Authentication

Two factor authentication is pretty much any method that requires a user to provide more than a username and password. While there’s a number of different things a two factor authentication could ask for, the most common one is providing a code sent to your phone. Because of the difficulty of providing false proof of identity,  two factor authentication is extremely secure. Moreover, it requires less thinking than entering in a CAPTCHA and is relatively quick. There’s a number of different services you could use for two factor authentication, but if you’re struggling to find an effective two factor authentication, you’re in luck. We at HumanID have our own two factor authentication that not only provides you a security of two factor authentication, but also it is completely anonymous, so you get the best of both worlds.

Biometric security

Yep, we’re really entering the age of high tech security.  This is commonly used on modern smartphones and tablets, but it could in theory be used for plenty of other applications. Your laptop, for example, likely has a camera built into it, so that could be used to verify a number of different body parts. The upsides of biometric security are pretty outstanding. Biometric security is nearly impossible to fake, so abuse via bots is impossible. However, there is a cost of such security. There’s a lot to worry about when using biometric security. The most recognizable problem is what if you don’t have the body part that the biometric security scanner is asking for? How exactly are you supposed to verify that you are not a robot if you cannot provide the information that’s asked for? Admittedly, this is pretty easy to solve by providing alternatives so that it’s pretty difficult not to provide something that could verify you, but doing so could prove to be a tedious task, as you may have to click “I don’t have x body part, please give me an alternative,” which takes away from the ease of use part. However, potentially the biggest problem to this is identity theft. Unlike your credit card number, you can’t just cancel your fingerprint scan and get a new one, and the amount of damage someone could cause with your biometrics could be horrifying.

Which One to Pick?

While these are all great options, you might be struggling with choosing the right alternative. This is understandable, as all of them have pros and cons. Realistically, the best option is likely to pick what best fits your security needs. For the majority of websites and apps two factor authentication is probably the best option. While it’s not as secure as biometric verification and not as easy to implement as the honeypot method, it strikes a very stable middle ground. However, if your security needs are not that high and you’re new to creating websites, the honeypot method with its ease of implementation and user friendliness is the pick. Lastly, if you require extreme security levels and do not mind potentially turning users away by requiring proof of identity via body parts, why are you reading this? You probably don’t need any suggestions. But by some chance you do, then biometric security is the right choice. Regardless of which one you choose though, you’d still be choosing a more reliable and effective method than CAPTCHA in its current iteration.