Thursday, October 14, 2010

CAPTCHA A La uniPaaS – Technology and Usability Guidelines

You may not know what CAPTCHA truly means or what the acronym stands for but most probably you have been using it more than once in various web forms.

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, which in simple words is it a sort of a challenge test that is intended to make sure the party that responds to the challenge is human and not a machine.

The common use for CAPTCHA in submit forms is an image showing a sequence of randomly distorted and etched over characters which most computers are not able to identify the distorted characters. In most cases only humans can decipher the characters in the image. So the test is very simple, if the typed in characters sequence match the sequence used to generate the CAPTCHA image, then most likely the entity that typed in the sequence is human and not a machine.

CAPTCHA is used to avoid spamming web servers by automating the submission process. The requirement for a mandatory parameter which is dynamically changing and cannot be resolved by a machine makes such automation impossible.

If you are creating a browser-based application which utilizes regular HTTP posts for server interactions, and there is a risk of users to abuse the option of data submission, it is advisable to add a CAPTCHA image recognition module in your submit forms.

When creating or choosing a CAPTCHA module, you should take into consideration the following principles and guidelines.

Technology Guidelines
  1. The first, somewhat trivial guideline, is to make sure the submit process cannot be completed without fulfilling the CAPTCHA challenge. There are cases in which CAPTCHA module is placed as part of the submit form, and the page scripts prevents completing the submit process, but the data can still be submitted by generating the HTTP Post URL eternally.
  2. Keep the string comparison logic on the server side. Do not pass the expected string to the client to make the comparison resolution on the client side. This can be easily tracked down and utilized for automating the submission.
  3.  Avoid generating the Image on the server and stream it directly to the client. Keeping a physical copy of the image is redundant.
  4.  Make the image generation truly random. Some take the easy path of producing a large collection of pre-generated images. Pre-generated images can be traced and logged b ya malicious end-user to later on be used for automatic submission.

Usability Guidelines
From the end-user point of view CAPTCHA is just a hassle. And when the end-user fails to complete the challenge successfully due to various difficulties, the experience becomes very negative.
  1. There are many libraries and modules that produce distorted and noise covered characters. Some produce too much distortion that even most humans cannot decipher. Make sure the text can still be discerned.
  2. Do not use mixed characters cases. Do not have both lower case and uppercase appear in your CAPTCHA images, many times it is quite difficult to discern lower lowercase c or upper case C. Either choose one character case and stick to it or make the text validation to be case insensitive. In any case, let your users know how characters case is handled.
  3. Do not use all letters and numbers. Some characters are very similar, for example the digit zero and the letter O. Filter out characters that may be confused with others.
  4. Allow the end-user to change the image to a different one in cases the end-user is unable to figure out the displayed text.
  5. For greater accessibility, especially for those with impaired vision, add audio option to the image that recites the displayed characters.
  6. Do not annoy the end-user with too many CAPTCHA challenges in case subsequent submissions are expected that also require human identification. Simply keep the first CAPTCHA positive result persistent on the server side for the entire user context\session.
  7. Inform end-users about the mechanism, add a link\button to open up a text box explaining the mechanism and the need for it.

CAPTCHA A La uniPaaS Example
Click on the image below to run a uniPaaS example for integrating CAPTCHA and handling it.

In the next posts I will describe in details how this CAPTCHA example was achieved in uniPaaS.


1 comment:

  1. Hi,

    Where can I find your post about the details of the CAPTCHA example development?