You may have already gone through the experience of entering a code with letters and numbers, choosing images of the same theme or marking that you are not a robot to complete your login on a website. These actions are part of CAPTCHA and reCAPTCHA, two very common digital security measures to validate access and prevent bot attacks with your password. Next, learn more about these two processes!
What is CAPTCHA?
CAPTCHA example with text (Image: Reproduction/CAPTCHA.net)
CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart”, or “Fully Automated Public Turing Test to Tell Computers and Humans Apart”, in free translation. Conceived by Luis von Ahn, Manuel Blum, Nicholas J. Hopper and John Langford in the year 2000, this test is used to determine if an access is being made by humans or by some bot that tries to use leaked passwords and random combinations.
The original version of the CAPTCHA uses a distorted combination of letters and numbers and requires the user to type the terms correctly to authenticate the request to a website. There are also accessibility features to hear the description of each digit. This simple character distortion is difficult for bots to read and has contributed to reducing the number of spam accounts created by computers.
Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Canaltech News. Everyday a summary of the main news from the tech world for you!
What is reCAPTCHA?
In 2007, a new adaptation of the CAPTCHA was introduced, called reCAPTCHA. The operation is very similar, but expanded the use of texts and words. Using machine learning, the original system was able to identify a greater amount of distorted letters and started to include random words from newspapers and old books in the test box.
Thus, in addition to authenticating accesses, the service was also used to digitize old editions of the New York Times. Google acquired reCAPTCHA in 2009 and started using the technology to also digitize editions in Google Books. Text identification was quickly understood by the system and became more vulnerable to bots. It was necessary to vary the format of the authentications to continue with access control.
After some changes, reCAPTCHA started to introduce image recognition to validate accesses, in a format widely used until today. The test box displays a grid of 9 to 16 different images and prompts users to select all photos with a common element to continue. Typically, traffic lights, road signs and vehicles are used for verification.
Verification could be done with one click (Image: Replay/Google Security Blog)
In 2014, reCAPTCHA v2 was launched. This update allowed you to authenticate your access in a single click, by checking the information “I’m not a robot”. As it does not require an identification test, this process was also called “No CAPTCHA reCAPTCHA” (“reCAPTCHA without CAPTCHA”, in free translation).
The technology works in the background as pages load and identifies behavior trends to identify the risk of being a human or bot. In this scenario, it considers factors such as screen time, click region, and other information to determine probability. If the analysis results in low risk, it is only necessary to validate the first box.
Some cases are inconclusive at this stage, so the system prompts you for a second check, this time using images — don’t worry, you’re not turning into a robot. There is also the possibility of inserting an invisible reCAPTCHA seal on the website, activated by clicking on a specific button configured on the page.
reCAPTCHA v3 and reCAPTCHA Enterprises
The third version of reCAPTCHA was released by Google in 2018 with one big advantage: the validation process does not require any user interaction. For this, throughout the navigation on the page, the system performs several automatic CAPTCHA tests and provides a score for each access. Low scores mean a high risk of bots being present and, consequently, more verification actions are required.
In 2020, reCAPTCHA Enterprises was launched, suitable for companies and with paid plans for sites with more than 1 million validation calls per month. The latest version has even tighter integration with the Google Cloud and offers a customizable experience for administering websites, with risk factors changing with two-step checks and other specific factors.
Source: Candid Technology, Google Blog, Google Developers, Google Security Blog, Vox
Did you like this article?
Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.