Google announced a change to its reCAPTCHA authentication system late Friday wherein the company will begin creating different types of puzzles for different users, use numeric CAPTCHAs and move away from more obscure, hard-to-read distorted letters.
CAPTCHAs are the series of distorted letter puzzles internet users may encounter as an added layer of human authentication on some websites and email clients.
The move incorporates “advanced risk analysis techniques” according to Vinay Shet, reCAPTCHA’s product manager, who wrote about the update in a post on Google’s Online Security Blog.
According to Shet the update considers user engagement before during and after the user interacts with the puzzle and should deter bots which have become more sophisticated and skilled at cracking reCAPTCHA over the last few years.
Google’s studies found numeric CAPTCHAs easier to solve for humans, and that with them they were able to achieve nearly perfect pass rates. While more information about the study is still forthcoming, Google boasts that the new “multifaceted approach” will make it so bots “won’t even see” the numbers.
It’s unclear just how the service will create different CAPTCHAs for different users but the blog post hints that the new method should better protect its users from attackers and “serve less as a test of humanity,” as opposed to the CAPTCHAs users are familiar with that merely characterize humans and bots.
Google acquired reCAPTCHA in 2009 in hopes of beating spammers who were creating multiple fake accounts to defraud authentication mechanisms. reCAPTCHA is a popular variation of CAPTCHA, first coined by students at Carnegie Mellon University as an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.
As the years have progressed, technology has as well. Bots or in some cases, humans hired to solve the squiggly puzzles have been working hard to crack CAPTCHAs and have succeeded. Countless research groups have poked holes in the challenge-response mechanism over the years. Researchers at Newcastle pointed out the algorithm’s insecurities in 2008 (.PDF) and Stanford built a tool to bust it called DeCAPTCHA in 2011.
Google’s announcement comes at an interesting time – just yesterday a small California startup threw more research on the pile, proclaiming text-based CAPTCHAs “no longer effective as a Turing test.”
Vicarious, a Bay Area firm announced yesterday it found a new way to break most types of CAPTCHAs – including Google’s – using artificial intelligence that apparently achieves success rates up to 90 percent. The work is part of something the group is calling its Recursive Cortical Network, something it anticipates will have repercussions down the road for security, medicine and robotic fields.