CAPTCHA: Security Theater or AI Training Tool?

Stop using me to train your AI models and calling it security

~The Simple Dev

Opinion

I want to preface this by saying this is an opinion piece. I have done little to no research. This is based on my experiences as a software engineer and historically how captcha's have been used.

I am also not saying that all companies or teams do this. I would say most companies use CAPTCHA appropriately. However, there are a few who in my opinion abuse it for one reason or another.

Security Threater

I was signing into popular game website on my Gaming PC last night and got an annoying Captcha. This came up between putting in my password and having to provide my 2FA code. As usual I sit there wondering why I am wasting time training someones AI models on how to detect bicycles when I just want to play a game.

Enter Security Theater:Security measures which are intended to, or do, provide a feeling or illusion of improved security, while doing little or nothing to actually improve security.

They claim these CAPTCHA's and puzzles enhance security by preventing automated login attempts. But do they really?

In my opinion it comes down to three factors...

1. Laziness of the security team
2. Just doing what they have always done because Google said it was the way
3. Training some AI model.

A brief history of CAPTCA

ell, as I said, I have done no research, so I am speaking here completely from memory. If memory serves me correctly the original CAPTCHA was created by google. It was used to help translate book text during their book copying phase. It was a problem difficult for computers to solve. Google basically convinced the industry that it enhanced security. Maybe it did for the most basic use cases.

However, even in the modern age Google has CAPTCHA that now detects mouse movement instead of requiring the user to solve a puzzle.

A better way

I am not saying Captchas have no place, I am saying I believe there are good and bad ways to implement them. Most places use a very bad way. The game website from last night is the best example I can think of as a bad way to handle this.

1. Enter Email
2. Enter Password
3. Solve Captcha
4. Enter 2FA
5. Logged in.

Did that actually help secure my account? It might have in a way, but probably not as much as you may think. Hackers have used systems like Amazon Mechanical Turk in the past to farm out captcha solving to low paid workers around the world.

Lets look at a more secure flow.

1. Enter Email
2. Has someone tried to log in more than x times in the past minute and failed?
   1. Yes Enable Captcha
   2. Move to step 3
3. Check my IP address - has it accessed my account before?
   1. No - Send to Captcha
   2. Yes - Move to step 3
4. Is the login from the appropriate region? If my address is in the US and the login is from China, there is likely an issue.
   1. No - Send to Captcha
   2. Yes - Move to Step 4
5. Is my login from a known VPN or Tor node?
   1. Yes - Block or Send to Captcha.
   2. Move to Step 5
6. Enter Password
   1. Invalid Password? Send to CAPTCHA on next login
   2. Valid Password Move to step 6
7. Enter 2FA
8. Logged in

We add three steps for the login process to validate, and remove one step for the user in most situations.

Why do I feel this is more secure

Beyond Logic? Beyond Common Sense? Beyond seeing best practices in my career?

Well, I watch what companies I consider good actors do.

Bit Warden doesn't give me a captcha unless someone has tried to login to my account and failed. Then they add it for extra security and email me to let me know.

Google doesn't do this, it trusts my 2FA and when it does need a captcha solves it uses a mouse click or automatic mouse movement detection not an AI puzzle.

Stop giving me security threater to train your AI

I just want these annoying CAPTCHAs to go away. I once had to solve 10 of them to get into a site I visit regularly. I have actually stopped using that site and can't even remember what it was now.

CAPTCHAs provide limited security in most situations. There are almost always better alternatives.

Every place I say send to Captcha above could also be send code to email. We don't need captcha in the modern age for many situations, I doubt we ever did.

Where is CAPTCHA appropriate

Unauthenticated forms.

That is my only and final answer. I believe that when you have a form on a website, that CAPTCHA is acceptable. It could be a contact form, or a sign up form. In those cases, CAPTCHA is a great tool. However, once you have a user, I feel CAPTCHAs are abused by lazy security teams and decrease customer experience in most cases.

Feedback

I would love to know what other members of the community think about this. Please leave me some comments on it. below.

Originally Published on The Simple Dev