Google Reinvents the CAPTCHA

We’re all familiar with reCAPTCHAs: those scrambled letter ciphers that users are asked to key in, in order to protect websites from spam and abuse by robots. For years, web surfers have been asked to read distorted text and type it into a box—leading to a safer web, but a more frustrated user populace. Sometimes, not even live humans can get the CAPTCHAs right.

 Google aims to change all of that—by reinventing the CAPTCHA experience.

“We figured it would be easier to just directly ask our users whether or not they are robots—so, we did!” said Vinay Shet, Google’s product manager for reCAPTCHA, in a blog. “We’ve begun rolling out a new API that radically simplifies the reCAPTCHA experience. We’re calling it the ‘No CAPTCHA reCAPTCHA.’”

Now, users are asked to simply check a box that asks, “Are you sure you’re not a robot?” From there, in some cases, a CAPTCHA to solve will be presented. But not always.

While the user experience will be better, there’s another reason for the change: Today’s artificial intelligence technology can solve even the most difficult variant of distorted text, at 99.8% accuracy.

“Thus distorted text, on its own, is no longer a dependable test,” Shet said.

To counter this, Google has developed an advanced risk analysis back-end for reCAPTCHA that actively considers a user’s entire engagement with the CAPTCHA—before, during, and after—to determine whether that user is a human.

“This enables us to rely less on typing distorted text and, in turn, offer a better experience for users,” Shet said. And, “while the new reCAPTCHA API may sound simple, there is a high degree of sophistication behind that modest checkbox.”

In cases when the risk analysis engine can't confidently predict whether a user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more cues, increasing the number of security checkpoints to confirm the user is valid.

Google has also worked on the mobile aspect of CAPTCHAs—after all, typing in a code on a smaller screen offers plenty of room for mis-typing and customer dissatisfaction. So, in one example, a website visitor may be asked to tap, say, all of the pictures of turkeys within a screen of animal tiles.

“This new API…lets us experiment with new types of challenges that are easier for us humans to use, particularly on mobile devices,” Shet said.

Websites are already adopting these methods, including early adopters like Snapchat, WordPress, Humble Bundle and others.

“For example, in the last week, more than 60% of WordPress’ traffic and more than 80% of Humble Bundle’s traffic on reCAPTCHA encountered the No CAPTCHA experience—users got to these sites faster,” Shet said. “Humans, we'll continue our work to keep the Internet safe and easy to use. Abusive bots and scripts, it’ll only get worse—sorry we’re (still) not sorry.”

What’s Hot on Infosecurity Magazine?