Over a drink at a recent meetup event, a usually savvy online developer seemed to think that two-factor authentication is a valid replacement for CAPTCHA. We’ve had a number of conversations like this recently and it’s troubling. It illustrates that even professionals in the online security field do not understand the inherent differences in how the two technologies should be used. Essentially: they solve very different problems.
Two-factor authentication (referred to as 2FA) is a security process that combines two security components to properly identify an individual looking to carry out a task – usually when logging into a secure account or performing a specific action within a secure account. For example, your bank may send an approval code to your phone when you send a large money transfer. It is used to doubly verify that you are authorised to perform that action.
It does not prove that there is a human completing this action. In fact, two-factor authentication is quite easy to bypass with bot automation. Our white hat partners have illustrated just how easy it can be to acquire the phone numbers necessary to automate abuse.
Take this example: you’re a ticket scalper looking to buy tickets in bulk for an upcoming show. If there is no CAPTCHA, all you would have to do is login once to each account (complete the 2FA if required, or automate that also) and then have your bots use those accounts to snap up as many tickets as possible. Without a CAPTCHA preventing the bots from accessing the actual ticket sales pages, 2FA is no help at all to preventing the tickets being purchased faster than humans can complete the same actions.
But CAPTCHA is a test to provide human verification and a good CAPTCHA will prevent bots from automating such actions.
Other concerns when considering 2FA as a CAPTCHA alternative are conversion and privacy. Not everyone will want to provide a phone number, or install an authentication app for each new website they visit. Conversion rates plummet when 2FA is implemented, which is bad for business.
So please… When considering security for your web business, ensure that you understand the primary strengths of all available options. Two-factor authentication is not a valid replacement for CAPTCHA, whenever privacy, conversion or human verification are priorities.
28 Aug 2015
Our founder and CAPTCHA expert Matthew Ford elaborates on what spam posting is, how massive companies like Blizzard still suffer from it and how these websites can stop it – not with annoying letters (or secretive black boxes), but with skill.
FunCaptcha is the only company dedicated to providing an interactive and engaging mini-game style CAPTCHA service that also completely stops spam posting. We can even generate revenue – if you’re into that sort of thing.
27 Jul 2015
Did you know that FunCaptcha is the only company in the world that is 100% focused on improving human verification via CAPTCHA? We really are the CAPTCHA experts!
With great power comes great responsibility, so one of our founders, Matthew Ford has taken it upon himself to solve the world’s CAPTCHA problems one video at a time.
20 Jun 2015
The purpose of a CAPTCHA is simple: protect a website from malicious attacks (i.e. spammers) by being difficult/impossible for bots but easy enough to let humans through. But what happens when the most commonly used CAPTCHA service can be solved with 97%+ accuracy by the very bots it was designed to beat?
For over a decade, text based CAPTCHAs have been the popular choice for this task. They grab a word (usually English), warp it into a shape not commonly seen and then ask users to type the words they see. Some text CAPTCHAs even use a random assortment of letters and numbers in an attempt to hinder the bots even more. The issue? Programs that utilize Optical Recognition Software, known as OCR, read the distorted text and allow bots through to websites that relied on the security service to prevent that very thing happening.
This, unfortunately, is a common problem. By design, text CAPTCHAs have a shelf life – in order for them to remain difficult for bots, they have to become increasingly harder for humans. It appears that we’ve reached the ceiling for text CAPTCHA effectiveness, which is a big motivation for our creation of FunCaptcha.
The internet was built on innovation and that’s exactly what we’re doing with FunCaptcha – innovating an area of web security that sorely needs it.
Update: watch co-founder and CAPTCHA expert, Matthew Ford, go into detail on this topic in our new video series!