October 11, 2022
Author: Stytch Team
Stytch is excited to announce Strong CAPTCHA, the newest addition to our product suite. Our modern take on anti-fraud protection tackles bot fraud at its root: on the backend site architecture.
In this article, we’ll first cover how CAPTCHA systems work and why they are vulnerable to attack. Then, we’ll dive deeper into how we designed Strong Captcha to overcome these vulnerabilities and how it can fit into your auth flow.
Humans are the minority on the internet today.
According to a recent report, over 60% of internet traffic is bots, and over 50% of that bot traffic is malicious. This malicious traffic takes many forms, including:
With the wide variety of threats bot attacks pose to human internet users, it’s no wonder over the past two decades we’ve seen a rise in the use of CAPTCHA, or Completely Automated Public Turing Test to Tell Computers and Humans Apart.
We’ve all had to complete these tests at some point, whether it’s selecting images that contain a traffic light, typing in a word displayed in squiggly font, or even just checking a box that asserts we are not a robot. While the challenges appear relatively simple to end users, they are a main line of defense against bot attacks.
Unfortunately, CAPTCHA challenges today are engineered more for scale than security.
Specifically, CAPTCHAs are vulnerable to a cottage industry called CAPTCHA fraud, in which bad actors outsource solving the test to people on behalf of bots. These companies (also called “CAPTCHA farms”) exploit CAPTCHA’s public key architecture, in which each CAPTCHA instance is identified by a sitekey publicly visible in the web page’s source code. These sitekeys make it easy to get CAPTCHA services up and running with little backend infrastructure. Crucially though, they also make it possible for the person who solves the challenge to be in a different browser from the one used to submit the solution.
Like other (albeit more legitimate) SaaS businesses, CAPTCHA farms operate through APIs. Typically, the process looks something like this:
Though CAPTCHA farms employ humans, they typically boast a response time of < 60 seconds. Because of this, hackers can automate the API calls to CAPTCHA farms into their scripts, accelerating the speed and scale of their attacks. This turns CAPTCHA challenges into minor obstacles for bad actors, and opens up scalable attack vectors for bots. The result is added friction and costs on both users and business in the form of fraud, wasted resources, and time.
If CAPTCHA infrastructure is so vulnerable, why do so many people still use the public key architecture? Simply, it’s scalable. For companies who process thousands or millions of authentication attempts, public key architecture offers a fast, affordable way to get CAPTCHA up and running.
Fortunately at Stytch, we believe you shouldn’t have to trade scale for security. That’s why we created Strong CAPTCHA.
Strong CAPTCHA is functionally incompatible with how most image captcha solver services work today because we have removed the public site key entirely from the end user’s browser environment. With the sitekey unavailable to the end user, we’ve made it architecturally impossible for a CAPTCHA provider service to easily, and directly generate solutions for CAPTCHA-protected sites using attacker preferred, easy-to-use paid API pathways.
Without direct public-key access, malicious bots can no longer use these services to easily get through CAPTCHA challenges, strengthening the line of defense between a given site and bad actors. The best part? Strong CAPTCHA introduces zero additional friction to the end user’s experience: they get the same familiar CAPTCHA challenge on the frontend, with a more secure infrastructure on the backend.
At Stytch, we are laser-focused on helping our customers authenticate their users and verify their identity with minimal friction. By distinguishing bots from humans, Strong CAPTCHA adds another vital solution to our arsenal, and only makes the Stytch suite a more comprehensive auth solution for our customers.
While some of our customers may already have a CAPTCHA solution they’re looking to upgrade, we also recognize some companies may still be in the process of understanding where it fits into their authentication flow. You can always chat with an auth expert for more personalized guidance, but there are a couple key junctures where we generally find CAPTCHA to be helpful:
While you can technically introduce CAPTCHA at any point in your login flow, we believe our customers will be most successful if they only use it where it’s most needed. Authentication is a critical growth lever, and you don’t want to create any more hoops for users to jump through than you have to.
At the same time, CAPTCHA is just one piece of the authentication puzzle, and it’s important to think about how it fits into your complete customer journey and authentication experience. While we offer more detailed guidance on breach prevention on our blog, it’s safe to say we strongly advise our customers not to rely exclusively on any one given gateway, especially if that gateway is passwords. (For more information on some options to consider, check out our blog on step-up and multi-factor authentication flows).
As an example, your Strong CAPTCHA-enhanced authentication flow for account creation might look something like this:
Or, you might use it in your login flow like this:
These examples are just the tip of the iceberg for how to configure your authentication flow with Strong CAPTCHA. You can learn more about this solution or other products at stytch.com, or book time with one of our auth experts to see Strong CAPTCHA in action.
Whatever your questions or needs, we’d love to help you on your auth journey.