This article is more than 1 year old
To CAPTCHA or not to CAPTCHA? Gartner analyst says OK — but don’t be robotic about it
Picking street signs from a matrix of images is out, cleverer challenges are OK
Poll Analyst firm Gartner has advised in favour of the use of CAPTCHAs — but recommends using the least-annoying CAPTCHAs you can find.
The firm’s opinion is contained in a post by senior director analyst Akif Khan, who noted that CAPTCHAs create friction for humans but remain an imperfect defence against bots.
Despite all this, Khan argued in support of them, with exceptions.
“Just don’t use the ‘pick a street sign from this matrix of images’ Google version of a CAPTCHA,” Khan wrote. He advised trying what he called “more evolved” versions out there, like those from Arkose Labs, GeeTest or PerimeterX.
The analyst suggested that good CAPTCHAs should do more than ensure users provide a correct answer to a challenge, and also determine if answers are given too quickly — as would be the case for a professional paid per correct CAPTCHA test. The test should also dynamically increase in complexity when bot or professional CAPTCHA-cracking activity is detected.
- Cloudflare network outage disrupts Discord, Shopify
- Google reCAPTCHA service under the microscope: Questions raised over privacy promises, cookie use
- Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps
Khan also recommended only using CAPTCHAs for less than five per cent of all sessions — and then only in true grey areas, leaving the bulk of spam detection to a vendor. He also suggested assessing CAPTCHA effectiveness with A/B testing across any sites you tend.
While Khan sees a role for CAPTCHAs, Cloudflare recently launched an anti-CAPTCHA manifesto. The web security company estimated that the world collectively spends 500 years every day completing the frustrating automated Turing tests that often rely on cultural nuance and hold people to physical and cognitive performance thresholds.
The Cloudfare blog post suggested using Cryptographic Attestation of Personhood (CAP), essentially a hardware security key, as superior to CAPTCHAs.
The Register knows readers just adore CAPTCHAs — let us know the extent of your ardour in the poll below. ®