News, news analysis, and commentary on the latest trends in cybersecurity technology.

CAPTCHAs Easy for Humans, Hard for Bots

Proton is aiming for the sweet spot between security, privacy, and accessibility with its CAPTCHA.

Dark Reading Staff, Dark Reading

September 28, 2023

2 Min Read
Illustration of a smiling robot sitting at a computer, checking off the box that says "I'm not a robot"
Source: Davyd Hruts via Alamy Stock Vector

Proton, the company behind the end-to-end encrypted Proton Mail, has released PRoton CAPTCHA, a layered system to differentiate between humans and bots.

For the past decade-and-a-half, CAPTCHAs and reCAPTCHAs have served as resource gatekeepers to deter bots from creating fake accounts, spamming forms, and executing brute-force attacks to guess usernames and passwords. The idea is to set a task that must be completed before granting access — and to make it easy for a human to do but very difficult for a bot.

However, visual challenges with CAPTCHA, such as having to transcribe a set of distorted characters or selecting all images with traffic lights, have become vulnerable to advanced image-analysis tools and human-solver services, while remaining annoying to legitimate users. Organizations concerned about potential privacy issues may not be comfortable with reCAPTCHAs (the "I am not a robot" checkbox) because they rely on behavioral analysis and the server examining user history to winnow out suspicious users. Scammers are including CAPTCHA-solving services in their automated attacks, plus the increased use of large language models (LLMs) is also worrying: A technical report on GPT-4's capabilities revealed that the LLM was able to persuade a human TaskRabbit worker to complete a visual CAPTCHA puzzle.

Proton CAPTCHA offering choice of two visual puzzles, Align Beams or Complete a Puzzle

Proton CAPTCHA consists of three levels of discernment: computational proof-of-work tasks, visual challenges, and bot detection that the company says preserves user privacy. The system presents proof-of-work challenges for the user's device to solve in the background, without bothering the user. Meanwhile, it also runs detection tests to look for botlike identifiers. Friendly Captcha and mCAPTCHA also perform those two steps. What Proton CAPTCHA adds is a visual puzzle to solve, akin to the original CAPTCHA. The combination of the three actions makes it more expensive for automated account creation and abuse, Proton says.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights