DataDome looks to CAPTCHA the moment with test of humanity that doesn't hurt

Apple last month gave hope to a large segment of the mobile device-using population when it announced that the upcoming iOS 16 operating system will eliminate the requirement to use CAPTCHAs to verify their humanity before accessing a website.

The advent of the Automatic Verification feature will mean that users of iOS 16 devices will no longer have to hunt and peck when selecting which pictures in a set show a car or crosswalk, or decipher a distorted set of letters and numbers, to prove they are not a nefarious bot.

Instead, the OS will automatically verify devices and Apple ID accounts, without requiring user intervention. Apple's actions created such jubilant headlines as "A Eulogy for the CAPTCHA" (on Gawker) and "iOS verification update marks the end of 'captchas'" (The Guardian).

However, DataDome – a seven-year-old company whose job it is to protect websites, mobile apps and APIs from online fraud and automated threats (including bots) – doesn't believe the end of CAPTCHA is nigh. On Wednesday the company introduced its own CAPTCHA tool, which officials claim is faster and more secure than Google's reCAPTCHA (which DataDome has been using for several years) and offers better privacy and an improved user experience.

With other technologies it's developed, DataDome can automatically verify 99.99 percent of users without having to resort to CAPTCHA, co-founder and CEO Benjamin Fabre told The Register.

"When DataDome has some concern about the requests that might be automated, that might come from an attacker, then we will block the request and we can leverage in some situations CAPTCHA to prevent those bots and to grant access to the websites if it's a false positive," Fabre said. "In that case, 0.01 percent of the time, we use CAPTCHA to access the website."

• A great day for non-robots: iOS 16 will bypass CAPTCHAs
• Your AI can't tell you it's lying if it thinks it's telling the truth. That's a problem
• How CAPTCHAs can cloak phishing URLs in emails
• To CAPTCHA or not to CAPTCHA? Gartner analyst says OK — but don't be robotic about it

While developing its own CAPTCHA, DataDome listened to complaints from companies and users about reCAPTCHA. Surveyed sentiments ranged from a poor user experience – and a resulting impact on the conversion rate of ecommerce sites – to privacy, with the worry being that Google's main focus is ads and not security. Google also uses data from its reCAPTCHA service to train AI algorithms, Fabre said, adding that cybercriminals could use AI to train their bots to get around reCAPTCHA.

Another security concern: threat groups also use cheap labor in so-called "CAPTCHA farms" to answer a lot of CAPTCHA puzzles for low wages.

DataDome's CAPTCHA involves the user being shown a picture puzzle with a missing piece and sliding that piece into place. While loading and solving a Google reCAPTCHA takes an average of 22.1 seconds, the company says the average time to complete a DataDome CAPTCHA is 3.1 seconds.

The key to DataDome's verification tech is behavioral detection models that track a user's web session from the start – collecting signals ranging from the screen size and resolution of the device to the CPU or GPU it's running and the history of the pages that device goes to when on the site. If anomalies indicate a bot is trying to access the site, DataDome's technology may move the session to a CAPTCHA.

Even then, the signals will indicate whether it's the legitimate user or something else using DataDome CAPTCHA.

"It's not only about if the CAPTCHA is solved," Fabre said. "It is how you pass the CAPTCHA and that's what we are doing. It's behavioral detection. It's not just that you slide it properly, but how you slide on the page. How did you move your mouse on the page? What was your device? What was your policy? What was the size and the resolution of your screen? What's all the plugins set up on the device?"

DataDome is "collecting thousands of different signals to understand if the CAPTCHA was passed by the user or by a bot or by the human that is working for the bots," he said.

About 40 percent of DataDome's 250-plus enterprise customers – which include The New York Times, Tripadvisor, Reddit, and Foot Locker – are using the new CAPTCHA and more will adopt it, Fabre said.

Whether DataDome's technology calms the debate about CAPTCHA is unclear. Darryl MacLeod, vCISO at Lares Consulting, told The Register that the CAPTCHA ship has not sailed despite the criticism.

"CAPTCHA is still a very effective authentication tool," MacLeod said. "While it is true that there are other authentication methods available, CAPTCHA remains a popular option due to its ease of implementation and a high degree of security. Many users are already familiar with CAPTCHA and find it easy to use, so it is likely to remain in use for the foreseeable future."

Others are not as sure. Bud Broomhead, CEO of cybersecurity company Viakoo, told The Register that CAPTCHA doesn't fit in a world shifting to passwordless authentication and zero-trust architectures. In addition, Apple's Automatic Verification feature is the latest proof that certificates can scale as an authentication approach.

"It's always been a way to answer the question of whether the user is organic or silicon rather than a secure authentication method," Parkin told The Register. "While it may be possible to fix it, the question is whether it's worth fixing, or whether it's time to find a new solution." ®