E-mail List Archives

RE: CAPTCHA alternatives for commercial product?

for

From: Austin, Darrel
Date: Dec 13, 2005 9:40AM



> We had a great meeting talking about security measures that
> could be added to the forms to ensure that only real users
> will be able to log-in.

Wouldn't adequate username/pwds be enough for that?

Captchas are really only useful for preventing automated responses to
non-password protected forms.

The traditional captcha...an image with distorted text...is a pain in
the ass for even fully sighted folks. (IMHO, of course). Personally,
captchas make the user experience worse, not better.

*If* one must have a captcha, I'd use a very simple text-based one:

- enter the letter 'd':
- type the number one:
- what's the first letter of the alphabet:

Etc.

These are like your logic ones, but are even simpler than that.
Afterall, a captcha is just to see if a person is a human.

These would be the most accessible (albeit there might be some language
issues and/or cognitive comprehension issues).

I've also read a little bit about human-tests that don't require any
human input. These are typically used to prevent blog comment spam and
consist of passing random querystrings or hidden text fields. Not sure
if that would apply outside of the context of blog commenting, though.

Personally, I don't consider captchas a form of security, as any human
can 'crack' it anyways.

> 5) Multi - channel distribution
> This involves sending the user an SMS to confirm or ask him
> to call a hotline to confirm his identity

That would be real security, and I'd group that in a different category
than the captchas.

-Darrel