Kill Captcha: Research from Lionel Wolberger on 2023-08-24 (public-rqtf@w3.org from August 2023)

From: Lionel Wolberger <lionel@userway.org>
Date: Thu, 24 Aug 2023 20:17:18 +0300
To: RQTF <public-rqtf@w3.org>
Message-ID: <CAHOHNHeTOHjc4TTaX=P5Ve8uDhe1KaDeh4Y_wx2+ZuWkknNi-g@mail.gmail.com>

Recent article regarding Captcha, has some interesting perspective on user
perception of difficulty vs actual difficulty.

- L

https://arxiv.org/abs/2307.12108

[Submitted on 22 Jul 2023]

An Empirical Study & Evaluation of Modern CAPTCHAs
Andrew Searles, Yoshimichi Nakatsuka, Ercan Ozturk, Andrew Paverd, Gene
Tsudik, Ai Enkoji

For nearly two decades, CAPTCHAs have been widely used as a means of
protection against bots. Throughout the years, as their use grew,
techniques to defeat or bypass CAPTCHAs have continued to improve.
Meanwhile, CAPTCHAs have also evolved in terms of sophistication and
diversity, becoming increasingly difficult to solve for both bots
(machines) and humans. Given this long-standing and still-ongoing arms
race, it is critical to investigate how long it takes legitimate users to
solve modern CAPTCHAs, and how they are perceived by those users.
In this work, we explore CAPTCHAs in the wild by evaluating users' solving
performance and perceptions of unmodified currently-deployed CAPTCHAs. We
obtain this data through manual inspection of popular websites and user
studies in which 1,400 participants collectively solved 14,000 CAPTCHAs.
Results show significant differences between the most popular types of
CAPTCHAs: surprisingly, solving time and user perception are not always
correlated. We performed a comparative study to investigate the effect of
experimental context -- specifically the difference between solving
CAPTCHAs directly versus solving them as part of a more natural task, such
as account creation. Whilst there were several potential confounding
factors, our results show that experimental context could have an impact on
this task, and must be taken into account in future CAPTCHA studies.
Finally, we investigate CAPTCHA-induced user task abandonment by analyzing
participants who start and do not complete the task.

Comments: Accepted at USENIX Security 2023
Subjects: Cryptography and Security (cs.CR)
Cite as: arXiv:2307.12108 [cs.CR]
  (or arXiv:2307.12108v1 [cs.CR] for this version)

https://doi.org/10.48550/arXiv.2307.12108
Focus to learn more
Submission history
From: Yoshimichi Nakatsuka [view email]
[v1] Sat, 22 Jul 2023 15:36:13 UTC (1,815 KB)

Received on Thursday, 24 August 2023 17:17:48 UTC