I am not a bot! I am a human being! I am a man!

December 15, 2014




Historically, risk systems have used the context (such as IP address, time of day, etc) of an authentication event to complement & supplement the actual (likely password-based) login. Such models have been particularly popular in the financial industry.


In such systems, the context is collected and analyzed (mostly compared to the known past pattern) to determine whether the initial login is sufficient for whatever access is being requested (purchase stocks etc). In this model, the explicit login is primary, and the implicit context secondary.

We in Ping's CTO Office have been predicting that context will become more important in the near future, in time actually providing sufficient assurance that an explicit login might not be necessary, or at least not as often. From the user's PoV, context-based authentication is painless, even 'free' - they needn't enter any credentials, or even swipe their fingerprints.


The trend is represented in the diagram.


As a concrete example of this trend, consider the new version of Google's reCAPTCHA service. If ever there was a task that wasn't painless, surely it's completing captchas. Almost by definition, it would seem captchas have to be painful if they are to successfully differentiate humans from bots.


The new version of reCAPTCHA destroys that notion. Compare the old captcha (on the left) to the new (on the right).


Botblog-2.png Botblog-3-a.png


By default, the new version's test of humanity requires the user only click a "I'm not a robot" checkbox. Google actually describes the new model as requiring 'No CAPTCHA'.


But how is this possible? Surely a bot can click the box and so impersonate a human user?


The reCAPTCHA blog explains how


"we developed an Advanced Risk Analysis backend for reCAPTCHA that actively considers a user's entire engagement with the CAPTCHA--before, during, and after--to determine whether that user is a human. This enables us to rely less on typing distorted text and, in turn, offer a better experience for users."


With the new version, less important than the act of checking the box is how the box is checked, ie how long it takes from initial page load etc.


Botblog-4-a.pngWhat used to be an onerous task for users is turned into a simple click. The risk engine running silently in the background analyzes the context of that click and only when the context proves insufficient for identifying a human, is a more traditional captcha test displayed (as shown).


Imagine applying the model to authentication (where the requirement is identifying a particular human, and not the category) -  it would be a password login where the actual string entered was meaningless, and the real means of verifying the user is how they typed it (overall speed, delay between key strokes, hesitation as they try to find 'Q' with their left pinkie, etc).


And if doesn't matter what string the user typed in the box, then why have them type it at all? Instead, why not collect the context from their normal typing? And do so constantly. And also constantly check lots of other contextual information and compare it to what you expect. That is the continuous authentication proposition - constantly assess the user's context (in the application, in the household, on their phone) in order to validate their claimed identity.


Trivially easy captchas, invisible & seamless authentication - what are we going to do with all the time we save?