CAPTCHA Types and Breaking Techniques: Design Issues, Challenges, and Future Research Directions

TL;DR

This paper surveys various CAPTCHA types and their vulnerabilities, analyzing design issues and attack methods, emphasizing the need for more secure and user-friendly CAPTCHA systems based on over two decades of research.

Contribution

It provides a comprehensive review of CAPTCHA types, their strengths and weaknesses, and discusses CAPTCHA breaking techniques, highlighting open challenges and future research directions.

Findings

Many CAPTCHA types are vulnerable to advanced breaking techniques.

Designing attack-resistant CAPTCHAs remains a significant challenge.

Usability considerations are crucial in CAPTCHA design.

Abstract

The proliferation of the Internet and mobile devices has resulted in malicious bots access to genuine resources and data. Bots may instigate phishing, unauthorized access, denial-of-service, and spoofing attacks to mention a few. Authentication and testing mechanisms to verify the end-users and prohibit malicious programs from infiltrating the services and data are strong defense systems against malicious bots. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is an authentication process to confirm that the user is a human hence, access is granted. This paper provides an in-depth survey on CAPTCHAs and focuses on two main things: (1) a detailed discussion on various CAPTCHA types along with their advantages, disadvantages, and design recommendations, and (2) an in-depth analysis of different CAPTCHA breaking techniques. The survey is based on over two hundred studies on the subject matter conducted since 2003 to date. The analysis reinforces the need to design more attack-resistant CAPTCHAs while keeping their usability intact. The paper also highlights the design challenges and open issues related to CAPTCHAs. Furthermore, it also provides useful recommendations for breaking CAPTCHAs.