It’s time to ditch the captcha in 2024
2024.05.10
Verification code and printer are the same thing
A few days ago, I handled some long-delayed matters online. One of them is to cancel your newsletter subscriptions that you no longer need. This was the last task of the day and I only had 5 minutes left to complete it. I used the link provided in the email to go to the company website.
To unsubscribe, I need to log into my account and check a box to deactivate email subscriptions. In theory this is a perfect task that can be completed in five minutes.
But on the login page, a verification code came to me to verify that I was human. Because I was in a hurry, I quickly clicked on all the photos showing sidewalks. Unfortunately, I missed one. So I started clicking photos quickly to complete this last task before my appointment at the dentist.
To my surprise, more and more photos came in and despite me constantly clicking on the sidewalk, I couldn't get through the verification. Five minutes passed and I gave up.
It's almost like a printer, the CAPTCHA seems to sense when you're in a hurry.
The birth and development process of verification code is quite dramatic.
In the field of computer science, Human-based Computation (HBC) and social media are one of the main research areas. CAPTCHA is a practical application of HBC, and the initial concept is exciting. According to Wikipedia, HBC is a computer science technology that performs the functions of a machine by outsourcing certain steps to humans, usually in the form of microwork.
The birth of verification code quickly became one of the practical applications of HBC. On the one hand, people classify items on photos, which is useful for training AI to perform the same task.
On the other hand, CAPTCHA also provides a certain level of security. Because at that time, people thought that robots could not solve the CAPTCHA problem. So in 1997, when Eran Reshef, Gili Raanan and Eilon Solan patented CAPTCHA, the technology was considered beneficial to everyone. The idea is great and the original author did a great job in inventing it.
But today, 14 years later, we can see that the development direction of verification codes has changed. Now, verification code is not just a security measure, its application scenarios and technical implementation have made great progress and changes. Although CAPTCHA was originally designed to improve the security of online services, over time its complexity has increased, often causing inconvenience to users, which has also triggered rethinking and discussion of the future direction of CAPTCHA.
Approximately 77,600 families are unable to build their homes in the United States each year because of CAPTCHAs .
This number comes from an astonishing calculation: In 2021, humans will waste 500 years solving verification codes every day, which is equivalent to 182,000 years per year. If you convert this time into money, based on the average American income, it would be equivalent to approximately $32 billion.
This funding is enough to build housing for 77,600 families in the United States each year. This shows what a huge waste of time and money CAPTCHAs are. These numbers may vary due to different assumptions and averages, but the fact is that the human time consumption of CAPTCHA is huge. While it may only take a few seconds to five minutes for an individual to solve a CAPTCHA, the total time it adds up is significant.
CAPTCHAs no longer effectively differentiate between humans and bots
In 2021, Nikolay Pankov wrote an article outlining the problem with CAPTCHAs, stating: “CAPTCHAs no longer reliably protect against intruders, and they annoy real users. In short , it may be time to abandon this outdated mechanism.”
The original intention of CAPTCHA is to protect online resources from bots and bad actors, with the goal of limiting the use of the resource. If a bot visits a page, it takes up valuable transmission bandwidth, which the company pays for. Therefore, we don't want robots visiting our website.
Not only that, but CAPTCHAs don’t protect against DDoS attacks, which can cause people to lose a lot of their savings. But we know that CAPTCHA hasn’t solved this problem for several years. Bots can easily solve CAPTCHAs, whether through AI or human support. Additionally, some bots even outsource the task of solving CAPTCHAs to others.
For example, a bot wants to post a comment with a link on a website, but the website requires it to solve a captcha. The bot then presents the same puzzle to visitors of a moderately useful app or website operated by the hacker. Therefore, hackers quickly exploited HBC to solve the HBC problem.
Overall, CAPTCHAs no longer offer any protection. It can no longer distinguish whether a visitor is a human or a robot for long periods of time.
Verification code discriminates against humans
There have been numerous reports that CAPTCHA discriminates against certain groups of people. For example, blind people would have difficulty solving audio CAPTCHAs (if such CAPTCHAs existed). This is actually not a new problem, we have known about it since around 2019.
It’s a little-known fact that CAPTCHAs can also discriminate against people based on nationality, race, geography, and other factors. For example, when you need to indicate which pictures are taxis, you may have difficulty if the taxis in the pictures are from another country.
Terence Eden summed it up this way in 2017:
Guess what, Google? In my country, taxis are usually black. I've seen enough movies to know that American taxi cabs are all yellow. But in every other country I've visited, taxis are a colorful mix.
Despite their flaws, CAPTCHAs are still widely used. Why is this?
Companies use CAPTCHAs solely for their own benefit.
It all comes down to money. CAPTCHA was originally invented as a human-based computing method to solve a real problem (distinguishing humans from robots).
Even though it failed at its core functionality, it is still used in human-based computing.
You see, the AI model doesn’t know what the sidewalk looks like. Companies must provide the AI with reams of photos and descriptions…
Through millions of repetitions, the AI was eventually able to tell the difference between a sidewalk and a cat.
In order to do this, companies building AI models must collect large amounts of classified data to train these AI models.
in conclusion:
- Captcha doesn't solve the problem (distinguishing between humans and bots)
- The human cost of CAPTCHA is huge (77,600 households per year)
- Only companies that provide CAPTCHA solutions benefit from it
Therefore, a very relevant question in 2024 is whether verification codes should continue to be used.