Idea for CAPTCHA

Question

CAPTCHAs have a lot of downsides, accessibility and user friendliness are two things that are often sacrificed.

I've thought of an idea that might work really well, has this ever been attempted before?

Prerequisites

The prerequisite for it is that email verification must be a requirement on your website, which is currently very common.

Initial Process

User/robot signs up
User/robot notified that email verification is required
Email dispatched in HTML format

Verification Link in Email

The email link will include the verification link. For the example, I've given the link 3 querystring parameters:

UID - ID of user registering
Code - Unique code for activation
F - Fail flag

It will render as follows:

enter image description here

But the HTML in the email is as follows:

Thank you for registering!<br /><br />

To activate your account, please click on the link below:<br /><br />

<a href="http://www.example.com?UID=27&Code=GR452AF&F=1">h</a><a href="http://www.example.com?UID=27&Code=GR452AF&F=2">ttp://www.example.com/Verify</a>

<br /><br />
Regards<br />
Tom

Outcome

The assumption here, is that the robot will either click the fail link as it's first in the email, or it will click both links.

If both links are clicked, we can mark them as a potential bot.
If only the first link is clicked, we can mark them as a potential bot
If the second link is the only one clicked, we can assume they are a legitimate user

Review

Downsides:

HTML emails for client must be enabled or it will be very confusing for the end client
A small % of clicks in the honey pot area of links (however, you could probably hide this H link with some more HTML, but that risks confusing end users depending on how you approach this so I wouldn't try)

Benefits

It's not a binary pass/fail. If the fail link is clicked, then you can manually review the account, or resend an activation link.
It's accessible (as long as the client enables HTML email)
It's non interruptive for user friendliness, the flow for the user is natural and they wont know they've just passed a CAPTCHA test

If this method has a lower false positive rate than traditional methods, it's worth having. Not only that, but it's an invisible verification process from the genuine users point of view.

Thoughts? Criticisms? Has this been done before?

I think it's generally a bad idea to assume users will do the most intuitive thing. (Which is, in this case, clicking the link outside the `h`.) — Maxpm, Apr 21 '11 at 16:48
@Max, every CAPTCHA will have limitations, the question is though I suppose, will more users fail the clicking the h link, or will more fail/be put off by a traditional CAPTCHA? Also the H link being clicked can simply mark the account as suspect, and limit their abilities until they have been manually verified. — Tom, Apr 21 '11 at 16:50
Also keep in mind that some users do not receive email in HTML format. Many such emails will say something like "Click the link below, or copy and paste it into your browser's address bar." — Travis Christian, Apr 21 '11 at 16:50
Biggest problem I see is how you will handle `plain/text` emails, which is what robots are most likely to read. If you aren't providing plain text as a way to thwart the problem I've laid out, you've already failed (imo). — Kevin Peno, Apr 21 '11 at 16:58
This seems like a better fit for [User Experience.SE](http://ux.stackexchange.com). — , Apr 21 '11 at 17:06
@Mark, is there a way to mark off-topic for other sites not in the list of common off-topic sites? — Kevin Peno, Apr 21 '11 at 20:09
@Kevin You can flag the question for moderator attention and mention the site in the "other" textbox. Although we generally don't migrate to beta sites. — Adam Lear, Apr 21 '11 at 20:17

score 11 · Accepted Answer · answered Apr 21 '11 at 16:58

11

I think this is a bad idea for two reasons:

1) True accessibility. Think, blind people who have their email read to them by the system.

2) Easy to get around. What good is a captcha that someone can write one line of code to beat? If that is all you want you can just ask them what 1+1 is.

answered Apr 21 '11 at 16:58

Brad

1,161
1
12
14

+1 for 1+1, or something like that. – Kevin Peno Apr 21 '11 at 16:59
Indeed. The proposed solution will beat any system currently available, but it won't be long at all before they can patch and workaround this challenge. For example, a link can be randomly selected. Overall, it will be defeated many times. Also CAPTCHAS are being broken by mechanical Turk like projects anyway. – Macneil Apr 21 '11 at 17:03
It would be fairly easy to create a solution based on this that randomises fail codes/positions/count of links so it isn't fixed. – Tom Apr 21 '11 at 17:09
1

If the robot can pass the captcha 1 in 10, you have failed. The robot can click on the longest one, the one with the darkest and largest font, the one that says click here, etc. – Brad Apr 21 '11 at 17:25

score 4 · Answer 2 · answered Apr 21 '11 at 17:01

The problem is that this sort of approach works only so long as it is sufficiently rare that bot writers can't be bothered to code for it. As soon as this sort of approach becomes slightly widespread, bot writers will simply modify their code to defeat it. There are plenty of sites that have relatively simple to defeat systems (i.e. answer a simple arithmetic problem, type "I am a human" in a box, etc.) that work because they are sufficiently idiosyncratic and the sites sufficiently low profile that it isn't in the bot writers interest to bother coding for them.

If you were going to include a honeypot link, however, you're probably better off hiding it from humans by making it practically invisible to humans-- i.e. the smallest font with a color that matches the background or a 1-pixel image that matches the background. That at least makes it less likely that a human would inadvertently click the wrong link.

score 1 · Answer 3 · answered Apr 21 '11 at 16:59

Well first off this solution relies on a few assumptions about the robots that would be signing up to the site, mainly the assumption that the robot will follow the first link it finds in the email.

So would it just be following the first <A> tag it finds? If so, you could just leave the tag empty and hope the robot would pick up on it. Or if it follows the first non-empty <A> tag it finds then you could put the tag around some text and then hide the tag using CSS. Or if it follows the first visible non-empty <A> tag it finds...

And all of this assumes that the robots that would be attacking the site are generic robots that are not familiar with your sign-up process. If the robot comes back with an error to whoever is monitoring it saying it can't sign up, then the developer could very easily write code to workaround any such HTML tricks you might write.

Altogether however I think that it's not too much of a problem to tell the user that they should turn HTML on for even just the one email, it might keep robots out for at least a while before someone bothers to write the code to bypass it, and if you can hide a non-empty <A> tag before the real link then you might as well give it a try and see what happens!

It should also be noted that, unlike capcha, this trick would easily be picked up on and implemented by bots. Training a bot to read text images that are distorted and abused is relatively hard. — Kevin Peno, Apr 21 '11 at 17:02

score 1 · Answer 4 · answered Apr 21 '11 at 18:10

The best "CAPTCHA" of all, it's used by Gmail when someone try to create a bulk of emails accounts. You write your phone number, and select if you want a call or a SMS. They send you via call or SMS, the code to write it in the form.

Obviously, this system has a cost, but I think it's the best.