Action item - CAPTCHA alternatives analysis from Scott Hollier on 2017-02-15 (public-rqtf@w3.org from February 2017)

From: Scott Hollier <scott@hollier.info>
Date: Wed, 15 Feb 2017 05:59:37 +0000
To: RQTF <public-rqtf@w3.org>
Message-ID: <MWHPR01MB27664301BC7DFA14A4F38E0BDC5B0@MWHPR01MB2766.prod.exchangelabs.com>

To the RQTF

Following up on my action item from last week, I’ve provided below a brief analysis of all the CAPTCHA literature and put them into two sections:

1) CAPTCHA alternatives. I’ve also included a brief explanation of what the alternative is that’s being proposed

2) CAPTCHA best practice: this is the literature that discusses the strengths and weaknesses of current CAPTCHA solutions. While our focus from last week is on the first point, there’s some interesting papers in the second which I suspect twill be relevant in putting forward the case as to why current CAPTCHA solutions are challenging from an accessibility perspective.

Skimming through the papers, here’s a few things I thought were of particular interest:

· Most current CAPTCHAs aren’t that secure anymore with a variety of automated techniques achieving about a 20% success rate, suggesting it probably takes humans longer to figure out the CAPTCHA then it does for a computer to crack one after a few attempts these days

· New CAPTCHA solutions generally rely on image-based solutions, e.g. visually confirming if the image is a man or woman, human or avatar, etc. The trend would still have accessibility issues.

· Two standout papers from an accessibility/useability standpoint in my opinion are:

o Miller, J. & Roshanbin, N. (2016) Enhancing CAPTCHA Security Using Interactivity, Dynamism, and Mouse Movement Patterns

o Yang, T., Koong, C. & Tseng, C. (2015) Game-based image semantic CAPTCHA on handset devices

The first looks at a pattern matching process where usability is considered, the second looks at using a simple computer game as a CAPTCHA which would have the added benefit of making it more interesting. There’s also some arguments hat the Google reCAPTCHA, the one where you click on a tickbox stating ‘I am a human’ is reasonably accessible. Admittedly I find these ones the easiest to deal with personally but don’t know if it is actually accessible.

Overall from an accessibity perspective it seems to me that most existing CAPTHCAs are flawed from a security perspective and there’s an incorrect assumption that people are using desktop computers along with everyone online expected to understands English text characters – and that’s before we even get to access-specific issues. While the literature here doesn’t appear to have any specific access solution, I’m encouraged by the fact that several solutions have endeavoured to ensure that people can use multiple interfaces and at least acknowledge that accessibility and usability need to be considered.

Apologies in advance for any typos that mya have crept in and any misinterpretation of the articles.

Happy to discuss further on the call.

Scott.

CAPTCHA alternatives:
- Catuogno, L. & Galdi, C. (2014) On user authentication by means of video events recognition

METHOD: on-the-fly video as CAPTCHA

- Cetin, C. (2015) Design, Testing and Implementation of a New Authentication Method Using Multiple Devices

METHOD: using multiple user devices to confirm human identity

- Conti, M., Guarisco, C. & Spolaor, R. (2015) CAPTCHaStar! A novel CAPTCHA based on interactive shape discovery

METHOD: APTCHaStar, an image-based CAPTCHA

- Djalaliev, P. (2013) Mitigating botnet-based DDoS attacks against web servers

METHOD: hardware token authenticaton stops need to use CAPTCHA as denial of service prevention

- Kim, J. et. al. (2014) FaceCAPTCHA: a CAPTCHA that identifies the gender of face images unrecognized by existing gender classifiers

METHOD: Users identify if displayed face is male or female, something computers find hard to do

- Kim, J., Chung, Woo-K. & Cho, H. (2010) A new image-based CAPTCHA using the orientation of the polygonally cropped sub-images

METHOD: new image orientation and spacial techniques to create new CAPTCHA

- Kluever, K. (2008) Evaluating the usability and security of a video CAPTCHA

METHOD: video-based solution where users input three tags from a YouTube video. Claims 90% user success rate

- Korayem, M. et. al. (2012) Learning Visual Features for the Avatar Captcha Recognition Challenge

METHOD: users indicate if image is of a real human or avatar

- Le, T., Baydin, A. & Wood, F. (2016) Inference Compilation and Universal Probabilistic Programming

METHOD: relates to the use of deep neural networks. Very technical, difficult to determine if its a CAPTCHA alternative or using computers to solve CAPTCHAs.

- Miller, J. & Roshanbin, N. (2016) Enhancing CAPTCHA Security Using Interactivity, Dynamism, and Mouse Movement Patterns

METHOD: users solve a series of interactive matching tasks. Usability is considered.

- Nayeem, M. (2014) Human Cognition in Automated Truing Test Design

METHOD: uses contextual information of human converation as a mechanism to improve CAPTCHA security

- Nguyen, V., Chow, Y. & Susilo, Willy. (2014) On the security of text-based 3D CAPTCHAs

METHOD: 3D CAPTCHA whereby images appear 3D making it harder for computers to crack

- Powell, B. et. al. (2014) fgCAPTCHA: Genetically Optimized Face Image CAPTCHA 5

METHOD: optimised for mobile, a partiuclar face is selected by tapping on the touchscreen

- Szu-Yu Lin, A. et. al. (2012) A novel approach for re-authentication protocol using personalized information

METHOD: uses a series of checks against personal user information

- Tangmanee, C. & Sujarit-Apirak, P. (2013) Attitudes towards CAPTCHA: A Survey of Thai Internet Users

METHOD: most CAPTCHAs are based on English characters, changes could be used ot proivde CAPTCHA in language of user (focus on Thai in particular for this paper)

- Thomas, A. (2010) Enhancing cyber security through the use of synthetic handwritten CAPTCHAs

METHOD: automated approaches uses hadwriting text instead of printed text in CAPTCHA

- Wang, E. & Ye, Y. (2013) A New Text Based CAPTCHA

METHOD: If I understand this correctly, the idea is to still use a text CAPTCHA but the focus is on the user determining which letters are missing from a word or phrase rather than what's present.

- Yang, T., Koong, C. & Tseng, C. (2015) Game-based image semantic CAPTCHA on handset devices

METHOD: make the CAPTCHA process base don a simple video game. Addresses language issues, interface issues (keyboard, mosue, gestures all work) and familiar.

- Yeh, H., Chen, B. & Wu, Y. (2013) Mobile user authentication system in cloud environment

METHOD: use combination of personal information (voice recognition, fingerprint, eye tracking) to remove the need for CAPTCHAs

CAPTCHA best practice (analysis of current solutions, issues/wearknesses/improvements):

- Alexander, George (2015) Tech: Siri For Your Living Room
- Belk, Marios. et. al. (2015) Do human cognitive differences in information processing affect preference and performance of CAPTCHA?
- ursztein, E., Martin, M. & Mitchell, J. C. (2011) Text-based CAPTCHA strengths and weaknesses
- Golle, P. ((2008) Machine learning attacks against the asirra CAPTCHA
- Hayata, T. (2012) Developing a secure and usable user-cognitive authentication scheme
- Hernández‐Castro, C., Barrero, D. & R‐Moreno, M. (2016) Machine learning and empathy: the Civil Rights CAPTCHA
- Hidalgo, J. & Alvarez, G. (2011) CAPTCHAs: An Artificial Intelligence Application to Web Security
- Khanna, S. (2009) Breaking the Multi Colored Box: A Study of CAPTCHA
- Li, Q. (2015) A computer vision attack on the ARTiFACIAL CAPTCHA
- Nakaguro, Y. et. al. (2013) Defeating line-noise CAPTCHAs with multiple quadratic snakes
- Ragavi, V. & Geetha, G. (2011) CAPTCHA Celebrating its Quattuordecennial - A Complete Reference
- Sano, S. et. al. (2015) HMM-based Attacks on Google's ReCAPTCHA with Continuous Visual and Audio Symbols
- Singh, A., Bacchuwar, K. & Bhasin, A. (2012) A Survey of OCR Applications
- Soupionis, Y. & Gritzalis, D. (2010) Audio CAPTCHA: Existing solutions assessment and a new implementation for VoIP telephony
- Tangmanee, C. (2016) Effects of Text Rotation, String Length, and Letter Format on Text-based CAPTCHA Robustness
- Xu, Y. (2016) Toward robust video event detection and retrieval under adversarial constraints
Yan, J. & El Ahmad, A. (2009) CAPTCHA Security: A Case Study

[Scott Hollier logo]Dr Scott Hollier
Digital Access Specialist
Mobile: +61 (0)430 351 909
Web: www.hollier.info<http://www.hollier.info>

Technology for everyone

Keep up-to-date with digital access news – e-mail newsletter@hollier.info<mailto:newsletter@hollier.info> with ‘subscribe’ in the subject line.

Attachments

image/png attachment: image001.png

Received on Wednesday, 15 February 2017 06:00:20 UTC