Christian Heilmann

CAPTCHA Alternatives for a commercial product?

Tuesday, December 13th, 2005 at 2:30 pm

Right now I am working on a project that will be a paypal-esque financial application, and of course security is a big issue with this one.

We had a great meeting talking about security measures that could be added to the forms to ensure that only real users will be able to log-in.

I collected the ones I could think of based on the W3C whitepaper and own experiences and this is the list with pro and contra for each of them:

CAPTCHA (http://www.captcha.net/)

This method generates imagery with distorted words which the user is asked to enter.
The most common method it using “GIMPY” or .NET/Java alternatives:

Pro:

  • Easy to implement
  • Common control in Frameworks

Contra:

  • hard to read for visitors with impaired vision
  • impossible to use for blind visitors
  • Heavy on server traffic / resources
  • Already cracked by some scripts:

** http://www.cs.sfu.ca/~mori/research/gimpy/

** http://sam.zoy.org/pwntcha/

An other, more clever version is ESP-PIX which uses a logical connection of images and text

Pro:

  • Uncracked to date, not counting social engineering
  • Relatively easy to implement
  • Localisation easier – if the images are universally known

Contra

  • impossible to use for blind visitors
  • Heavy on server traffic / resources

Lastly another CAPTCHA is ESP-TEXT which uses an image with several words and imagery

Pro:

  • Uncracked, not counting social engineering

Contra:

  • hard to read for visitors with impaired vision
  • impossible to use for blind visitors
  • Heavy on server traffic / resources

Logical Puzzles / Multiple choice questions

These are multiple choice questions that change the question and the order of answers on every reload of the page. The questions need to be easy, and only understandable by a human:

Which of the following is a bird:

  • Alligator
  • Elephant
  • Eagle

It is immensely important to change the order on each reload, as otherwise any script would crack this in 3 attempts tops.

Pro:

  • accessible to all except for dyslexic users
  • easier to implement and less traffic – heavy than image generation

Contra:

  • high maintenance, as there needs to be a high amount of questions
  • questions must be well chosen on international pages or localized to the different languages

Sound Output

Instead of a visual (hard on the user) or textual (easy to crack) solution, you could add an audial output that asks the user to type what he hears

Pro:

  • Accessible to all but the hard-of-hearing or users without a sound-output

Contra:

*Expects users to know how to write a word they hear

  • Not feasible in public places like internet cafés
  • Expects sound output available on the client computer
  • High traffic / maintenance
  • Needs distortion of the sound to prevent automatic recognition

Re-using federated identity systems like Microsoft passport or other single sign on products

Pro:

  • centralized security

Contra:

  • cost
  • reliance on third party

Multi – channel distribution

This involves sending the user an SMS to confirm or ask him to call a hotline to confirm his identity

Pro:

  • safest approach

Contra:

  • reliance on availability of other distribution channel
  • high maintenance
  • slow log-on process

Now, my personal favourite is the multiple choice idea with a simple question,
however the issue is that the application will be localised in many languages,
which means that it could become a maintenance nightmare. This is probably one of the biggest issues, where you need to push your accessibility cap a bit further back to allow the security one to fit aswell.

Is there anything you could think of that I forgot?

Share on Twitter