Study finds that bots can outperform humans in almost all Captcha tests

Why it matters: The usefulness of Captcha tests depends on their ability to deter bots without significantly inconveniencing human users. Although not yet peer-reviewed, the results of a new study comparing how humans and bots complete Captchas could cast more doubt on how well they fulfill their intended purpose.

A recent study analyzing how quickly users solve Captcha tests reveals that they are almost always slower and less accurate than bots. Captchas are supposed to be relatively simple for humans but impossible for bots, so the study's results could throw the authentication test's utility into question.

Captchas are a minor annoyance users tolerate on many websites because they supposedly stem malicious actors from accessing services at scale. Helping to ensure that traffic metrics reflect activity from real humans, they're meant to prevent DDoS attacks, spam accounts, and data scraping.

Tests like discerning distorted text, sliding puzzle pieces, or identifying objects are designed to focus on tasks humans are good at, but bots struggle with. However, Captchas have been in a constant arms race against bots created to solve and circumvent them. The recent results from researchers at UC Irvine indicate that bots may already have the upper hand.

After observing how 1,400 participants solved 14,000 Captchas of six different types, the researchers found that the gap between human and bot performance varied significantly depending on the test. Distorted text Captchas are perhaps the least useful, as bots solved them in less than one second with almost perfect accuracy, while humans could take up to 15 seconds with between 50 and 84 percent accuracy.

Bots had the most trouble with image-based reCAPTCHA tests but could still solve them with 85 percent accuracy more quickly than most humans. The study couldn't obtain accurate information from Geetest's sliding puzzles or the rotation Captchas from Arkose Labs, so how bots compared to humans on those tests is unclear.

The study also shows that Captcha performance varies markedly among humans based on age, internet use, education, and other factors. Older study participants tended to be slower, but users with PhDs outperformed everyone else, suggesting higher education is the most significant factor.

Cloudflare believes that Captchas have long been useless, taking too long for humans to solve and inconveniencing the visually challenged. Some can also retain personal user information like phone numbers or device fingerprints. Cloudflare, Google, Apple, and other groups have spent years trying to offer alternatives for fighting bots.