What does the future of captchas look like?

Captchas have become an integral part of the web. In the long term, however, they can no longer do justice to the increasingly sophisticated bots. Alternatives from the blockchain could follow.


Deciding between a real person and a computer or bot can quickly become a challenge in the digital world. In 2020, around 25.6 percent of all internet traffic came from so-called “bad bots,” according to Imperva’s “Bad Bot Report 2021.” This includes programs that imitate the behavior of real Internet users, attack websites and can quickly cause damage. An example is the flooding of contact forms by bots. The employees in the respective customer service first have to filter out the real inquiries from the crowd, which can increase the response time enormously. Consequently, the customer satisfaction of the provider decreases.

A “Completely Automated Public Touring test to tell Computers and Humans Apart” – probably known to the majority of Internet users by its short form CAPTCHA – can help with the look of detection. Captchas are embedded in various forms on all kinds of websites to reject bots and filter out real visitor requests.


Captcha development

In the beginning, captchas were pretty easy to solve. The users only had to enter a fuzzy sequence of letters or solve a simple arithmetic problem. However, as image recognition software and AI continued to improve, the puzzles had to get harder and harder to stop the bots. A constant arms race ensued between the bots and the technology meant to keep them away. As a result, the effort to solve a Captcha is increasing, even for real users. According to a Stanford study, this extra effort can also lead to less revenue on the websites concerned.


Possible future approaches

A combination of crypto verification services and SSI (Self-Sovereign-Identity) could follow the captchas. Similar to the usual captchas (identify images, then confirm “I’m not a robot”), SSI could be based on the analysis of the on-chain behavior of the users. In this way, it could be checked, for example, which activities were processed via a specific Ethereum address and how long it was active. Such an analysis can also represent an additional security factor as the use of the blockchain increases. However, since it is not infallible, the frustrating problem can arise that real users are incorrectly classified as bots and rejected. There are also potential issues of privacy (since information about individuals is collected and stored) and loss of identity (since there must be an issuer to validate certificates). However, the latter problems could be solved by checking bodies in the SSI cycle, which check the validity of the certificates and thus make the transmission of the underlying behavioral data superfluous.

A combination of SSI and Trustscore with simultaneous successful verification could therefore rule out robot imitations and spam with a sufficiently high probability. In the approaching quantum age, however, such authentication measures would be useless again. Then, according to US cryptologist David Chaum, quantum-secure blockchain networks such as the xx network would be the most secure solution. Specifically, he names the next generation of highly secure SSI dApps.

Centralized service providers like Cloudflare would rather rebuild the entire system and verify users via a security module in the browser than “just” develop a new type of Captcha. In practice, one could therefore verify oneself when visiting a website using the fingerprint sensor on one’s own computer. According to Chaum, such centrally controlled, software and hardware-based solutions can only be regarded as valid and secure authentication methods in the short term. He sees the centrally controlled software as an attractive target for hacking attacks and therefore also as a potential security risk.

According to David Chaum, the necessary long-term solution to the problem lies in mnemonics – mnemonics in the form of a scheme, rhyme or graphic that paraphrase a password. According to the expert, they would have to be developed by humans and stored offline. Also, they would have to be complicated enough that computers couldn’t guess them. Then the validation of the IT identity to be performed independently by computer intermediaries or blockchain validators.

Source: David Chaum</ p>