ThermoCAPTCHA: Privacy-Preserving Human Verification with Farm-Resistant Traceable Tokens

TL;DR

ThermoCAPTCHA introduces a privacy-preserving, thermal imaging-based human verification system that resists CAPTCHA farms and improves usability over traditional methods, using real-time heat signature detection and cryptographic tokens.

Contribution

It presents a novel thermal imaging approach combined with cryptographic tokens for privacy-preserving, farm-resistant human verification, with a lightweight detection model and comprehensive security analysis.

Findings

96.70% detection accuracy

73.60 ms verification latency

Improved usability and accessibility

Abstract

CAPTCHAs remain a critical defense against automated abuse, yet modern systems suffer from well-known limitations in usability, accessibility, and resistance to increasingly capable bots and low-cost CAPTCHA farms. Behavioral and puzzle-based mechanisms often impose cognitive burdens, collect extensive interaction data, or permit outsourcing to human solvers. In this paper, we present ThermoCAPTCHA, a novel privacy-preserving human verification system that uses real-time thermal imaging to detect live human presence without requiring users to solve challenges. A lightweight YOLOv4-tiny model identifies human heat signatures from a single thermal capture, while cryptographically bound traceable tokens prevent forwarding attacks by CAPTCHA farm workers. Our prototype achieves 96.70% detection accuracy with a 73.60 ms verification latency on a low-powered server. Comprehensive security evaluation, including MITM manipulation, spoofing attempts, adversarial perturbations, and misuse scenarios, shows that ThermoCAPTCHA withstands threats that commonly defeat behavioral CAPTCHAs. A user study with 50 participants, including visually challenged users, demonstrates improved accuracy, faster completion times, and higher perceived usability compared to reCAPTCHA v2.