CAPTCHA vs. Passkeys: Everyone hates CAPTCHAs - are passkeys the solution?

1. Introduction

2. Drawbacks of CAPTCHAs

3. Alternatives to reCAPTCHA

4. Passkeys as the new CAPTCHA?

1. Introduction

"Is this a fire hydrant or a traffic cone? Does half of a tire count as a motorcycle?" - Everybody faces these questions when trying to solve CAPTCHAs, representing a growing frustration for internet users. What began as simple, distorted letters has morphed into an increasingly absurd obstacle in our online experience, often leaving us questioning the logic behind these puzzles. Read this article to learn more about drawbacks of CAPTCHAs, current alternatives and whether passkeys could replace CAPTCHAs!

2. Drawbacks of CAPTCHAs

CAPTCHA, an acronym for "Completely Automated Public Turing Test to Tell Computers and Humans Apart" (fortunately not CAPTTTCHA), serves an essential purpose on the internet: preventing bots from performing tasks intended for humans, such as sign-ups or submitting forms. Without CAPTCHAs, the internet would be a far more spammy and infested space. However, the design of CAPTCHAs comes with significant drawbacks:

For Users:

• UX: Everyone can agree that CAPTCHAs are an annoying and frustrating experience. Sometimes they are tough to crack and pretty time-consuming. Can you believe that people spend 500 years per day solving these puzzles?
• Accessibility: Visually impaired users often struggle with CAPTCHAs, finding even the audio versions challenging.
• Data Privacy: Google's reCAPTCHA has often raised concerns about privacy, firstly because they collect a lot of personal user data and secondly because they use the tests to train their AI Models.

For Businesses and Servers:

• User Drop-off : Around 15% of users abandon CAPTCHAs, adversely affecting conversion rates. Imagine running a web store with 200 customers per day and youre losing 30 of those every day due to CAPTCHA frustrations this drop in conversion rate is more than unacceptable.
• GDPR Compliance Issues: European companies face challenges with reCAPTCHA's compliance with GDPR, as it transmits data like IP addresses and cookies to US servers without explicit user consent.
• Bot Efficiency: Ironically, CAPTCHAs are increasingly solvable by bots, especially through audio-to-text conversion.

3. Alternatives to reCAPTCHA

In the quest for better bot prevention and human authentication solutions, it's essential to evaluate alternatives based on three crucial criteria: a smooth UX for the human user (especially for visually impaired people), a low price for the website owner and a safe detection of bots.
Lets look at a few alternatives:

Turnstile (Cloudflare)

Cloudflare has been very transparent about its struggles with CAPTCHA and bot prevention over the last years. In 2022, they've taken these challenges head-on by developing "Turnstile," their own bot prevention software.

Turnstile excels in user experience by simplifying the process to a mere checkbox click while performing multiple tests in the background. These include checking browser characteristics, utilizing native browser APIs, and conducting lightweight tests like proof-of-work and proof-of-space. The absence of audio backups eliminates a loophole for bots and reduces complexity for visually impaired users. In fact, Cloudflare states that less than 1 in 10,000 interactions require solving a CAPTCHA.Surprisingly, Cloudflare offers its product in a free plan with unlimited volume, making it highly accessible for website providers of all sizes.

Arkose Labs

Arkose Labs takes a distinct path compared to Cloudflare. Instead of minimizing human input, it focuses on making the challenges for humans more user-friendly, fun, and quick.

Like all other providers, Arkose Labs aims to minimize manual user tests through automatic browser checks and background data analysis. But when a case is not categorizable with certainty, it offers creative and engaging formats like animal rotation tasks or image selection puzzles with specific criteria. Its a question of taste whether people like the test formats more than traditional CAPTCHAs while they are maybe more creative and fun, they still need to be done and add a friction point in the web experience. Arkose Labs prides itself on designing tests that are challenging for bots. The unique and constantly evolving nature of these challenges makes them a formidable barrier against automated solutions.

hCAPTCHA

hCAPTCHA positions itself as a privacy-centric alternative to Google's reCAPTCHA, maintaining conventional CAPTCHA methodologies while addressing privacy concerns.

While it offers more robust options for visually impaired users, hCAPTCHA still relies on traditional CAPTCHA puzzles, which can be a friction point for users (Who likes to select images with chickens on a tree?). Regarding privacy, hCaptcha stands out for not selling personal data and collecting only the minimum necessary information, making it a more privacy-conscious choice. In fact, Cloudflare switched from reCAPTCHA to hCAPTCHA in 2020 before working on their own solution.

friendlyCAPTCHA

Like hCAPTCHA, friendlyCAPTCHA addresses Google's reCAPTCHA's shortcomings, particularly around data privacy and GDPR compliance.

FriendlyCAPTCHA improves the user experience by conducting background checks and only triggering manual checks in suspicious cases, similar to Cloudflare's Turnstile. As a Germany-based company, it also assures complete GDPR compliance which can be a critical factor for European businesses. Sounds awesome, right? But of course, there is a trade-off: friendlyCAPTCHA has a higher price than its competition. Although it starts at a reasonable ‚¬9 monthly, the cost escalates with the number of users, making it potentially expensive compared to free alternatives.

4. Passkeys as the new CAPTCHA

It seems like the three criteria UX, price and safety are rarely achieved altogether. Every company offers advantages in a few areas but also has drawbacks in another. So, will there ever be a way to prove human interactions? A possible answer could be passkeys!

Unlike traditional passwords or CAPTCHAs, a passkey is a unique digital representation of a user, which can assert their presence and confirm specific hardware specifications. This could promise a smoother user experience, similar to Google's "Google One Tap" service, which allows effortless account creation or logins with just a click. Also, soon almost everybody will own at least one passkey, as weve elaborated in a past blog article.

However, the current security and technical feasibility of passkeys doesnt yet meet the theoretical opportunity at 100%. While passkeys streamline user authentication, they don't fully detail how user verification is done on all devices and operating systems. For some, hardware attestation is not supported, meaning that the hardware involved in the processes around passkeys are not checked. Also, attestation only gives the server the information that the user was verified, but not more information e.g. about the method used for verifying human presence. Surely these aspects will improve in the near future, paving the way to possibly use passkeys instead of CAPTCHAs. The general potential of passkeys in the web space is significant since they could eliminate much more than "just passwords, reducing UX friction and enhancing security. For example, they could also offer the potential for more personalized web experiences, like setting privacy options and user preferences automatically based on an individual's passkey (without compromising the users real identity as they would not collect personal information like email addresses at first).

At Corbado, we are excited to be at the forefront of developing and exploring passkey technology, contributing to a more seamless and secure internet. To stay up to date and never miss an important development, subscribe to our passkeys Substack or join our passkeys community on Slack.