Saturday, October 27, 2007

Using unobtrusive javascript as a captcha

I have been reading and thinking about Captcha's lately. Captcha's are a frequently used way to tell humans and computers apart. It's main use is in preventing robots access to certain parts of the site, the registration section for example, or the comments sections of articles.

Current captcha's have some problems


Current captcha's have some serious disadvantages:
* They can completely lock out disabled users
* They can be to difficult to solve for humans in some occasions
* They can be beaten by sufficiently intelligent AI
* They can be a lot of work to create (logic/puzzle-based captcha's)
* They are obtrusive

Most of these problems can be solved to some degree with traditional image, audio or logic/puzzle based captcha's. You can provide for an audio captcha as an alternative to an image-based captcha to greatly improve accessibility to the visually impaired, as proposed by Standards Schmandards (and in use on lots of sites already). You can tweak with saturation, noise and deformation of the images and audio samples used to maximize ease of use for people and minimize robots abilities to pass the test, but the last problem remains.

They are so darn obtrusive. I myself completely understand what they are for and still find them annoying! Especially the difficult to solve ones, which make me feel I have to take an IQ test before being allowed to register. So how will people feel about them that don't understand or care why it is even necessary?

I have been coming up with an alternative to captcha's that could potentially solve the last problem while retaining the advantages of Captcha's, the ability to filter out form posts done by robots instead of legitimate human users.

A solution?


My solution works as a layer above the traditional captcha's. And being on this blog, its obviously based on Javascript. It works on the premise that real humans have to type in the message they want to post, like real humans do. Recent research suggests that each person has unique typing characteristics that might even be used as identification

Here is how I think it might work in practice.
Below the form fields, but just above the submit button, are a traditional image and audio based captcha, as a fallback option for clients that have no javascript. The form itself is marked with a class, for example 'captcha', that triggers an unobtrusive piece of javascript, to attach itself to the form and hide the traditional captcha's. As the user fills in the form, metadata is captured on the process of filling in the form. What time did the first character got entered into some form field (process-start)? What time did it get submitted (process-end)? How many characters entered (determines avg. typing speed), biggest and shortest interval between keystrokes etc etc. On form submit, the captured data would be inserted into an extra hidden field and posted to the server along with the rest of the form. The captured data would be analysed on the server for anomalies and suspect posts would be rejected.

Ofcourse, this could trigger an arms race again, but this time, we don't have to force the user to jump through any hoops. Instead, we have to capture more and better metadata while the spammers have to get better and better at emulating real user's typing characteristics. .

I'm still playing with this idea in my head. The basic implementation is not that difficult to build, but the typing characteristics analysis seems difficult. Any ideas?

Monday, October 15, 2007

My Javascript blog

Well, it's finally here.