Authentication - CAPTCHA

Core concepts

CAPTCHA: A test that differentiates humans from automated programs by requiring tasks easy for people but historically difficult for machines.
Human verification: The act of confirming that an interaction originates from a person rather than software, independent of authenticating identity.
OCR (Optical Character Recognition): Software that converts images of text into characters; progress in OCR weakened text-based CAPTCHAs.
AI threat to CAPTCHA: The reality that modern AI can solve or bypass many CAPTCHA challenges as well as or better than humans.

reCAPTCHA: A CAPTCHA system that used human input to transcribe scanned text and later to label images, then evolved into behavior-based screening.
NoCAPTCHA reCAPTCHA (v2): Google’s checkbox approach that analyzes behavior and context, falling back to image puzzles when confidence is low.
Invisible reCAPTCHA (v3): Background scoring of user interactions to assign a trust score without a visible challenge.
Image-based CAPTCHA: Challenges that require identifying objects in photos to demonstrate human perception.

CAPTCHA farm: A service that uses human labor to solve CAPTCHAs for bots, defeating the intended barrier.
Man-in-the-middle CAPTCHA attack: A relay attack where a bot forwards a challenge to a human solver and reuses the response.
Accessibility challenge: The usability problem that distorted text, small tiles, or noisy audio create barriers for users with disabilities.
User frustration: The drop in usability and increased abandonment caused by repeated or difficult CAPTCHA prompts.
Fake CAPTCHA attack: Malicious imitation of a CAPTCHA prompt used to trick users into executing code or divulging information.