CAPTCHA Alternatives for a commercial product?
Tuesday, December 13th, 2005 at 2:30 pmRight now I am working on a project that will be a paypal-esque financial application, and of course security is a big issue with this one.
We had a great meeting talking about security measures that could be added to the forms to ensure that only real users will be able to log-in.
I collected the ones I could think of based on the W3C whitepaper and own experiences and this is the list with pro and contra for each of them:
CAPTCHA (http://www.captcha.net/)
This method generates imagery with distorted words which the user is asked to enter.
The most common method it using “GIMPY” or .NET/Java alternatives:
Pro:
- Easy to implement
- Common control in Frameworks
Contra:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
- Already cracked by some scripts:
** http://www.cs.sfu.ca/~mori/research/gimpy/
** http://sam.zoy.org/pwntcha/
An other, more clever version is ESP-PIX which uses a logical connection of images and text
Pro:
- Uncracked to date, not counting social engineering
- Relatively easy to implement
- Localisation easier – if the images are universally known
Contra
- impossible to use for blind visitors
- Heavy on server traffic / resources
Lastly another CAPTCHA is ESP-TEXT which uses an image with several words and imagery
Pro:
- Uncracked, not counting social engineering
Contra:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
Logical Puzzles / Multiple choice questions
These are multiple choice questions that change the question and the order of answers on every reload of the page. The questions need to be easy, and only understandable by a human:
Which of the following is a bird:
- Alligator
- Elephant
- Eagle
It is immensely important to change the order on each reload, as otherwise any script would crack this in 3 attempts tops.
Pro:
- accessible to all except for dyslexic users
- easier to implement and less traffic – heavy than image generation
Contra:
- high maintenance, as there needs to be a high amount of questions
- questions must be well chosen on international pages or localized to the different languages
Sound Output
Instead of a visual (hard on the user) or textual (easy to crack) solution, you could add an audial output that asks the user to type what he hears
Pro:
- Accessible to all but the hard-of-hearing or users without a sound-output
Contra:
*Expects users to know how to write a word they hear
- Not feasible in public places like internet cafés
- Expects sound output available on the client computer
- High traffic / maintenance
- Needs distortion of the sound to prevent automatic recognition
Re-using federated identity systems like Microsoft passport or other single sign on products
Pro:
- centralized security
Contra:
- cost
- reliance on third party
Multi – channel distribution
This involves sending the user an SMS to confirm or ask him to call a hotline to confirm his identity
Pro:
- safest approach
Contra:
- reliance on availability of other distribution channel
- high maintenance
- slow log-on process
Now, my personal favourite is the multiple choice idea with a simple question,
however the issue is that the application will be localised in many languages,
which means that it could become a maintenance nightmare. This is probably one of the biggest issues, where you need to push your accessibility cap a bit further back to allow the security one to fit aswell.
Is there anything you could think of that I forgot?