CAPTCHA’s Place in Effective Bot Management

February 8, 2024 | by John Dasher

CAPTCHA Bot Management Header

Get Rid of Bad User Experiences

Must the user experience (UX) suffer when bot management is effectively deployed? The answer to this important question is a resounding “no”. Security teams rightfully want to ensure that users are properly authenticated before being authorized to access, enter, or edit sensitive information. Malicious bots must be kept at bay, detecting their presence and blocking them. By the same token, UX personnel want the user to have a great experience, with minimal waiting or frustrating hoops to jump through before they are able to use an application.

Unfortunately, security and usability are often historically been employed at the expense of one another, and legacy visual CAPTCHA systems are often used to try and ensure that a valid human, rather than a bot, is interacting with an application are a great example of that trade-off. CAPTCHA, by the way, is an acronym being short for Completely Automated Public Turing test to tell Computers and Humans Apart.

The visual CAPTCHA systems most of us are familiar with require an application user to view a picture divided into pieces and identify all of a requested element before proceeding. For example, a picture of a city street is shown and the user is asked to successfully pick all of the pieces that contain a motorcycle before being allowed to proceed. It’s a silly pain for the user, and if they mess up they get to do it again. Or, a picture of a jumbled, stylized word is shown and the user must type in the word. Is that a ‘Z’, a ‘z’, or a ‘2’? Not only is this an exercise in frustration for the user, but it’s no longer effective. There are now services that the bad guys can use to automatically solve these common CAPTCHAs. And, AI has quickly gotten to the point where it can handle more complex images. A few years ago, Forbes reported that between 8 and 29 percent of users fail to solve these challenges, and user impatience for such nonsense has only increased. Further, the article quoted a study showing a 3.2% negative impact to sales.

Traditional CAPTCHA - bot management

Luckily, there’s a more modern take on this problem, and it’s more effective to boot. Rather than bothering the end user with silly pictures, behind the scenes their browser is instead asked to solve a straightforward cryptographic proof. Effectively, solve a math problem. The end user never knows this is happening.

How Does it Work?

Cequence Security offers this capability in our API Spartan bot management solution. When triggered, the client browser is sent a one-second long cryptographic ‘work-item’ to complete. Successful completion and response allow the client to continue. If not completed or completed incorrectly, the system makes note of this as potentially suspicious, can deliver an appropriate error response, or even terminate the session. Malicious bots tend to have a difficult time of convincingly masquerading as a modern web browser, and aren’t be able to complete the proof-of-work CAPTCHA without being specifically modified to do so, and frankly, since there are no shortage of easy targets out there, most of them will never take the trouble to do so. And, even if they were modified, they would suffer this one second or so penalty for each initial request, slowing down their attack to the point of infeasibility.

Rohit Unnikrishnan, Cequence’s Sr. Director of Product Management said, “Employing an invisible proof-of-work CAPTCHA is an elegant way for organizations to be confident that their applications are serving their intended customers rather than acting as a vehicle for theft and fraud. We’re excited to offer this capability.”

The beauty of this approach is that the user of your application is never bothered, so in marketing parlance conversion is unaffected. Also, your org is protected without your developers having to write or QA a single line of code or incorporate someone else’s JavaScript/SDK.

This proof-of-work CAPTCHA is actually one of several possible response actions that API Spartan offers organizations. Block, rate limit, honeytrap, insert header, allow, and “challenge” (proof-of-work CAPTCHA) are all available response actions for mitigation.

Mitigation policies – bot management

Summary

Sadly, many organizations still use traditional CAPTCHA systems that frustrate users. Delivering a great user experience that separates your application from others is a real competitive advantage, so choose your bot management system wisely. The time for traditional visual CAPTCHA systems has passed, especially with the availability of Proof-of-Work (PoW) CAPTCHA solutions which offer a great way to improve security AND usability. Cequence API Spartan Bot Management requires no additional work for development teams, solid security that eliminates malicious bot activity, and an improved user experience. Everyone wins!

John Dasher

Author

John Dasher

VP Product Marketing

Additional Resources