A Study of CAPTCHAs for Securing Web Services

TL;DR

This paper reviews and compares various CAPTCHA schemes used to distinguish humans from bots on web services, analyzing their security, usability, and methods for generation and breaking.

Contribution

It provides a comprehensive classification, comparison, and analysis of CAPTCHA schemes, along with guidelines for enhancing their robustness and usability.

Findings

CAPTCHAs vary in security and usability

Methods for generating and breaking CAPTCHAs are discussed

Guidelines for improving CAPTCHA robustness are provided

Abstract

Atomizing various Web activities by replacing human to human interactions on the Internet has been made indispensable due to its enormous growth. However, bots also known as Web-bots which have a malicious intend and pretending to be humans pose a severe threat to various services on the Internet that implicitly assume a human interaction. Accordingly, Web service providers before allowing access to such services use various Human Interaction Proof's (HIPs) to authenticate that the user is a human and not a bot. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a class of HIPs tests and are based on Artificial Intelligence. These tests are easier for humans to qualify and tough for bots to simulate. Several Web services use CAPTCHAs as a defensive mechanism against automated Web-bots. In this paper, we review the existing CAPTCHA schemes that have been proposed or are being used to protect various Web services. We classify them in groups and compare them with each other in terms of security and usability. We present general method used to generate and break text-based and image-based CAPTCHAs. Further, we discuss various security and usability issues in CAPTCHA design and provide guidelines for improving their robustness and usability.