• United States




What CAPTCHAs can teach us about authentication

Jul 16, 20184 mins

Businesses that authenticate users online can learn a lot from a similar challenge: distinguishing robots from humans.

job search machine learning ai artifical intelligence robotics automation
Credit: Thinkstock

CAPTCHAs (short for Completely Automated Public Turing test to tell Computers and Humans Apart) help to prevent the creation of fake accounts, content scraping and other malicious activity. They’re designed to verify users’ humanity, not their identities. But much like authentication, CAPTCHA systems have struggled to maintain an acceptable balance between security and user experience.

User experience has deteriorated over CAPTCHA’s 21-year history. They were fine in the beginning when it was easy enough to read their skewed characters. But the stakes have continued to rise with the willingness of attackers to invest in resources to defeat the defenses. As the character obfuscation has become more pronounced, the experience for the end user has degraded in parallel. It’s almost an Internet meme in itself: users squinting at their screens or asking for new images multiple times. It’s the exact opposite of what an authentication experience should be for a good user. Frustration kills excitement.

The sacrifice to user experience has not yielded tighter security

Even as CAPTCHA tests have become more challenging and frustrating for humans, their efficacy has stagnated. Researchers at Google and Stanford described an algorithm that used machine learning to decipher distorted CAPTCHA text. The researchers reported that they “were able to solve all the real world CAPTCHA schemes [they] evaluated accurately enough to consider the [CAPTCHA] scheme insecure in practice.” Since then, advances in artificial intelligence continue to make computers better at identifying images, a successor to character obfuscation. Bad actors also can circumvent the “Are you a bot?” question and its underlying behavioral assessment by using programs that enlist workers on Mechanical Turk or similar platforms.

Ineffective CAPTCHAs weaken authentication when designers rely on them to prevent automated attacks on login pages. As a result, it can be relatively inexpensive to develop massive networks of fake social media accounts, like those used to influence the 2016 U.S. election.

Fortunately, new techniques offer more user-friendly ways to identify robots and humans alike. According to Google, its latest version of reCAPTCHA, “uses advanced risk analysis techniques, considering the user’s entire engagement with the CAPTCHA, and evaluates a broad range of cues that distinguish humans from bots.” This includes inputs like mouse movements, speed, clicks and pauses where human behavior varies significantly from that of machines. In many cases, users can simply check a box. In others, they’re asked to identify images that contain a specific object. reCAPTCHA scrutinizes the user’s actions throughout this process and generates a score that website owners can use to grant access or, if the system suspects a bot, require additional actions. The tool provides a customizable way to filter scrapers, activate step-up authentication for suspicious logins, or identify risky e-commerce transactions.

When better user experience and stronger security come together

Just like reCAPTCHA, modern authentication techniques call for a close relationship between security teams and designers. Behavioral biometrics – use patterns unique to an individual – can make website interactions more streamlined as the user’s identity is confirmed in the background. That’s a promising principle for the crux of the design challenge in authentication. It’s not enough to continue adding security layers. We have to come up with strategies that improve user experience, too.

However, “strategies” – plural – invites fragmentation of the authentication experience. Today, each channel to the same account – a web browser, a kiosk, a phone call – requires a different authentication method. This variance across channels contradicts organizations’ imperative to provide customers with an omnichannel experience. It’s a hassle for users to manage multiple usernames, passwords, personal identification numbers, challenge questions based on personally identifying information, and identity documents.

Fortunately for users, organizations can implement technologies that remove friction from the online experience, offer more choice over authentication methods at different touch points, and leverage information about the user’s device to ensure security while remaining in the background. This multi-factor authentication (MFA) platform allows each channel to mix available authentication methods according to circumstance. The approach unifies the user’s experience across brands and services.

Unified authentication employs a singular MFA experience to almost any type and number of applications: from web sites to kiosks to smart devices. To instill confidence while making transactions smoother, designers also can incorporate device-based authentication. For example, apps can detect the presence of users’ wearables or other paired Bluetooth devices nearby. GPS coordinates can add additional data that reduces the need for repeat manual authentication. This diversity of authentication methods within one platform provides organizations the assurance they need for their various use cases.

In the future, users should have to do as little as possible to prove they aren’t robots. With the right combination of authentication technology and attention to user experience, proving their identities could be just as easy.


Scott Waddell is the CTO of iovation. He began his career in information security as a charter member of the Air Force Information Warfare Center, pioneering tools and techniques for automated vulnerability assessment and incident response.

Scott is an innovative technologist and executive with more than 20 years of hands-on leadership experience. His career spans fraud mitigation, computer and network security, critical infrastructure protection and information warfare. He is also co-inventor on six U.S. patents.

The opinions expressed in this blog are those of Scott Waddell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.