CAPTCHAs Easy for Humans, Hard for Bots

Proton, the company behind the end-to-end encrypted Proton Mail, has released PRoton CAPTCHA, a layered system to differentiate between humans and bots.

For the past decade-and-a-half, CAPTCHAs and reCAPTCHAs have served as resource gatekeepers to deter bots from creating fake accounts, spamming forms, and executing brute-force attacks to guess usernames and passwords. The idea is to set a task that must be completed before granting access — and to make it easy for a human to do but very difficult for a bot.

However, visual challenges with CAPTCHA, such as having to transcribe a set of distorted characters or selecting all images with traffic lights, have become vulnerable to advanced image-analysis tools and human-solver services, while remaining annoying to legitimate users. Organizations concerned about potential privacy issues may not be comfortable with reCAPTCHAs (the "I am not a robot" checkbox) because they rely on behavioral analysis and the server examining user history to winnow out suspicious users. Scammers are including CAPTCHA-solving services in their automated attacks, plus the increased use of large language models (LLMs) is also worrying: A technical report on GPT-4's capabilities revealed that the LLM was able to persuade a human TaskRabbit worker to complete a visual CAPTCHA puzzle.

Proton CAPTCHA visual puzzles. (Source: Proton)

Proton CAPTCHA consists of three levels of discernment: computational proof-of-work tasks, visual challenges, and bot detection that the company says preserves user privacy. The system presents proof-of-work challenges for the user's device to solve in the background, without bothering the user. Meanwhile, it also runs detection tests to look for botlike identifiers. Friendly Captcha and mCAPTCHA also perform those two steps. What Proton CAPTCHA adds is a visual puzzle to solve, akin to the original CAPTCHA. The combination of the three actions makes it more expensive for automated account creation and abuse, Proton says.