Proc. of Int. Conf. on Advances in Communication, Network, and Computing, CNC
Novel CAPTCHA Design based on Cognitive Factors
Krishna Chaurasia1, Mohit Singhaniya2, Sowmya Jain3 and B Sivaselvan4
IIITD&M Kancheepuram, Melakottaiyur, Chennai-127.
1
Email: [email protected]
2
Email: [email protected]
3
Email: [email protected]
4
Email: [email protected]
Abstract— Secure web applications such as email, e-commerce sites, etc. employ
CAPTCHAs so as to distinguish a human attempt to gain access to the service as opposed to
an automated robot (bot). Literature supports different types of CAPTCHAs such as
Gimpy, Question, Collage, etc.. Usability Engineering, a key aspect of Human Computer
Interaction (HCI) focuses on creating solutions with usable interfaces. This paper addresses
usability issues in the domain of CAPTCHAs. A survey of existing types of CAPTCHAs is
presented and novel CAPTCHA designs from a usability perspective are proposed.
Proposed designs factor in cognitive issues and also attempts to explore a marketing /
awareness creation exercise, whilst enhancing the difficulty level for the bot by
accommodating cognitive factors in the design and at the same time make it usable for the
end user.
Index Terms— CAPTCHA, Cognitive, Human Computer Interaction, Usability.
I. INTRODUCTION
CAPTCHA which stands for Completely Automated Public Turing Test To Tell Computers and Humans
Apart, evolved from the primary objective of having to differentiate human from automated robot attempts to
login / gain access to an authenticated system [1],[11]. Most successful and popular commercial websites
these days have some form of CAPTCHA in their process of authentication and hence reduce chances of bot
attempts. There are different types of CAPTCHAs such as Gimpy, Question, Aural, etc. that have evolved
over the years. All the CAPTCHAs that have evolved have primarily focused on making it extremely
difficult for the bot to crack the CAPTCHA, without complicating things for the user (human). With this
contradicting optimization goal of maximising difficulty level for the bot, while minimizing the same for the
human, most CAPTCHA's have exploited human beings capability of recognizing data which are not
complete such as distorted / slanted text, blurred images, etc. Events of an online opinion poll on the best
graduate school, where efficient programmers were able to come up with programs that voted (multiple
times) institutes of their choice, only highlight the need to have an element of human touch to the interaction
process of authentication between the human and the computer (possibly the website). HCI solutions
usability are enhanced by characteristics of Learnability, Flexibility and Robustness. Not much work has
gone into analysing / enhancing the usability of CAPTCHAs along these characteristics [2],[3],[13]. Most
image based CAPTCHAs exploit the capability of the human to do quick and effective segmentation among a
© Elsevier, 2014
clutter as opposed to the bot. Usability Engineering is that field in HCI which focuses on creating useful,
usable and used products / solutions. This paper focuses on the design & development of a few novel
CAPTCHAs in line with the optimization goal described earlier. Section 2 details on the various existing
CAPTCHAs such as Gimpy, ReCAPTCHA, Question, etc [4], [5]. The proposed CAPTCHAs that enhance
the usability experience of the user and the difficulty level for the bot, is presented in Section 3. Section 4
discusses the need for a framework for CAPTCHA evaluation and ideas for the same.
Figure.1. GIMPY CAPTCHA
II. CAPTCHA TYPES - LITERATURE
A. GIMPY
These CAPTCHAs exploit the human capability of efficiently reading / interpreting distorted text / text
displayed in different orientations. The user is displayed an image involving 7 words from the dictionary
(displayed in a distorted and duplicated fashion) and is expected to enter any three unique distorted words
displayed in the CAPTCHA image. An example of such a CAPTCHA is given in Figure 1.
B. ReCAPTCHA
These types of CAPTCHAs are based on the principle of effectively using the human effort that goes into
recognizing distorted and hard to read (by the machine) characters [6],[10]. For instance Google Books
effectively uses this as a mechanism to digitize scanned words that are otherwise non readable.
Authentication systems employing ReCAPTCHA display two words, referred as the Control and the
Unknown word. Entry to the application is based on the control word (dictionary based); whilst the other
unknown word is the one that has to be digitized (yesteryear document's words may have got distorted /
erased over a period of time). The unknown word is digitized used as a future control word based on a
threshold number of users successfully identifying the unknown word. An instance of such a ReCAPTCHA
is shown in Figure 2.
C. Drawing CAPTCHAs
This is based on the principle of prompting the user to connect specific dots that are displayed to him on a
noisy background / grid. The human eye would be capable of easily recognizing and connecting the dots as
desired by the prompt as opposed to the bot. This also exploits the exclusive human capacity of moving in a
grid in a random order, and being a mouse oriented CAPTCHA, it should have increased usability, as
illustrated in Figure 3.
D. Collage CAPTCHAs
These function on the principle of promoting the user to select (click via a mouse) a specific object from an
image composed of several objects [7]. The various objects in the image are displayed in a distorted fashion
to enhance the difficult y level for the bot, whilst utilizing the human capability to parse images in different
orientations. An example of such a CAPTCHA is given in Figure 4.
E. Question CAPTCHAs
Questions from varied domains are posed at the user as part of this CAPTCHA. The difficulty level of the
questions is maintained straightforward for quick response by the human, whilst the domain and nature of the
question bring in the human touch to increase the difficulty level for the bot [8]. A simple but powerful
question CAPTCHA is given in Figure 5. An instance of an extremely usable design (achieving the objective
of CAPTCHA) could be “There are 3 pencils, 4 books and 1 mouse on the table. The question could be “How
790
many stationery are there?' or 'How many fruits are there?” varying the difficulty level for the user / bot
respectively. The second question increased the cognitive aspect wherein any attempts by the bot to predict
the count based on ”how many” would be misled as a result of the domain knowledge requirement.
Figure.2. ReCAPTCHA
Figure.3. Drawing CAPTCHA
Figure.4. Collage CAPTCHA
791
Figure.5. Question CAPTCHA
F. Miscellaneous
Literature also identifies the use of Video CAPTCHA's wherein users are presented with a video, from which
they are expected to enter three words. User's words can be entered even as the video is being played,
exploiting the domain knowledge of the user to identify objects in the video being rendered [9]. Aural
CAPTCHA's have distorted sound clips played back to the user with the user prompted to enter the uttered
word(s). A variant or hybrid version of this is the aural question CAPTCHA's wherein the question
CAPTCHA's are played back in aural form. This would present the bot the challenge of recognizing spoken
language, interpreting the question and solving the same, whilst the human counterpart would do with
relative ease.
III. PROPOSED USABLE CAPTCHAS
Despite the existence of several and varied types of CAPTCHAs and their success rates, there have also been
in-stances of the process becoming difficult for the human being to pass the test as a result of badly designed
(over distorted beyond human eye recognition) CAPTCHAs. This section deals with the different types of
CAPTCHAs that we propose factoring in the usability, learnability and predictability aspects in HCI
Design[12].
A. Hybrid Question CAPTCHAs
Proposed as a build on to the existing question (hybrid) CAPTCHA, it is proposed to have images displayed
to the user, who is prompted to respond with the object name in the image. It is intended to use the space
occupied by the CAPTCHAs for profitable marketing, wherein the images displayed relate to sponsors. This
would enhance the visibility of the product, with the user being advertised about the product in the process of
his solving the CAPTHCHA. These may be referred to as Advertisement CAPTCHAs. An example of such a
CAPTCHA is given in Figure 6, in which case the question can be “Enter the Brand Name”, which also
serves as an advertisement both visually and as part of the CAPTCHA solving process.
B. Awareness CAPTCHAs
This class of CAPTCHAs can again be thought of as extensions to the question type. The question is framed
from an image that displays information about government policies / emergency contacts / other information
that would be of benefit to the society. This type of CAPTCHA aims at using the users’ effort in recognition
of images to spread awareness about some critical issues such as environmental degradation, world peace,
etc. An instance of such a CAPTCHA is given in Figure 7.
792
Figure.6. Hybrid Question CAPTCHA
Figure.7. Awareness CAPTCHA
C. Domain CAPTCHAs
It is intended to have images that are relevant for the audience. For instance a website that requires
CAPTCHA and projects out computer science relevant information could have images / CAPTCHAs framed
out from computer science dictionary. For instance in Figure 8 the user is prompted to enter the name of a
programming language, wherein the displayed image would include one programming language word and
other non domain words. The domain knowledge of the user in computer science and programming in
specific would quickly relate him to the word that constitutes the CAPTCHA.
Figure.8. Domain CAPTCHA
Figure.9. Context CAPTCHA
D. Context CAPTCHAs
A variant of the question type CAPTCHAs the user is prompted with a question that requires reasoning from
the user based on facts in real life. For instance the CAPTCHA in Figure 9 requires the user to relate the
actors name to the relevant portion of the image.
E. Matching / Puzzle CAPTCHAs
The user will be displayed a sequence of words which he is expected to group / pair using context / real life
facts. An example of such a CAPTCHA is displayed in Figure 10 and the user would be mandated to identify
n out of m pairs correctly. Another instance of a Puzzle CAPTCHA is shown in Figure 11, wherein the user
would be expected to enter the solution to the puzzle in place, which is the number of objects in the order
24ifh73 (ifh is the text CAPTCHA, while the numbers are the counts of objects in a left to right direction)s.
Given the other possible predictions from the user, there has to be a learning phase associated with the use of
such CAPTCHAs, which could be in the form of demonstrations (on directions / clues) as to how the puzzle
can be solved, till it finds acceptance. Given that human beings can identify characters / images even in low
793
contrast as opposed to increased difficulty level for the bot, image CAPTCHA can also exploit such human
centric features and achieve the overall objective.
Figure. 10 Matching CAPTCHA
Figure. 11 Puzzle CAPTCHA
IV. METRICS FOR CAPTCHA EVALUATION
Most existing systems that make use of CAPTCHAs to sense human login support the option for refreshing
(fresh CAPTCHAs) in case of increased difficulty in solving the CAPTCHA currently displayed, while a
feasible solution would be to provide either enhanced / reduced level complexity of CAPTCHAs based on
some predefined number of failed / successful attempts. Apart from this, evolving a framework for
CAPTCHA evaluation for their usability, readability, predictability (by the user), and other factors could
enhance the experience level of the user. Google’s similar effort in the domain of search engines resulted in
the PULSE and HEART frameworks, focusing on statistical / threshold and HCI / User Psychology measures
for evaluating search engines. Usability engineering related factors such as Learnability, Flexibility and
Robustness and other cognitive measures could be explored in the domain of CAPTCHA design and
evaluation. A few metrics along the lines of PULSE could be time required by the user to crack the
CAPTCHA, number of refreshes, time and difficulty level of the CAPTCHA, etc. Cognitive measures would
only add value to the purpose of CAPTCHAs. Time required solving domain v/s non domain CAPTCHAs,
comfort levels of user for specific type of CAPTCHAs, etc. could be helpful HCI metrics for CAPTCHA
design. The facial expressions of the user in response to a CAPTCHA solving session(s) could also key give
inputs on the usability of the CAPTCHA. An established cognitive / statistical metric will also contribute to
the design and development of Usable CAPTCHAs. Design of CAPTHCA’s has primarily focused on
increasing difficulty level for the bot and ease of user access. However an established set of metrics could
result in an optimized framework for the bot and the human user.
V. CONCLUSION
Usability Engineering is an increasingly sought after trend in application development and more so in HCI.
The paper proposed variants to existing CAPTCHA types that accommodate more cognitive abilities of the
user such as inference, deduction, interpretation, etc. A more generic categorization on HCI measures and
specifics such as Learnability, Flexibility, Robustness, Synthesizability, etc. is being explored and shall be
reported in the future. As mentioned attempts are in the direction of a HCI / Mathematical framework to
evaluate the success of CAPTCHA with respect to the objective of separating Humans and Computers Apart,
which could serve as templates for the testable design of Cognitive CAPTCHAs.
REFERENCES
[1] K. A. Kluever and R. Zanibbi, “Balancing usability and security in a video CAPTCHA,” in Proceedings of the 5th
Symposium on Usable Privacy and Security, ser. SOUPS ’09. ACM, 2009, pp. 14:1–14:11.
[2] M. Shirali-Shahreza and S. Shirali-Shahreza, “CAPTCHA for blind people,” in Signal Processing and Information
Technology, 2007 IEEE International Symposium on, dec. 2007, pp. 995 –998.
[3] Collage CAPTCHA, 2007. [Online]. Available: http://dx.doi.org/10. 1109/ISSPA.2007.4555329
[4] K. Chellapilla, K. Larson, P. Y. Simard, and M. Czerwinski, “Computers beat humans at single character
recognition in reading based human interaction proofs (hips),” in CEAS, 2005.
[5] A. Rusu and V. Govindaraju, “Handwritten CAPTCHA: Using the difference in the abilities of humans and
machines in reading handwritten words,” in Proceedings of the Ninth International Workshop on Frontiers in
Handwriting Recognition, ser. IWFHR ’04. IEEE Computer Society, 2004, pp. 226–231.
794
[6] M. Shirali-Shahreza and S. Shirali-Shahreza, “Question-based CAPTCHA,” in Proceedings of the International
Conference on Computational Intelligence and Multimedia Applications (ICCIMA 2007) - Volume 04, ser.
ICCIMA ’07. IEEE Computer Society, 2007, pp. 54–58.
[7] A. S. El Ahmad, J. Yan, and L. Marshall, “The robustness of a new CAPTCHA,” in Proceedings of the Third
European Workshop on System Security, ser. EUROSEC ’10. New York, NY, USA: ACM, 2010, pp. 36–41.
[8] J. Yan and A. S. El Ahmad, “Usability of CAPTCHAs or usability issues in CAPTCHA design,” in Proceedings of
the 4th symposium on Usable privacy and security, ser. SOUPS ’08. New York, NY, USA: ACM, 2008, pp. 44–52.
[9] R. Gossweiler, M. Kamvar, and S. Baluja, “What’s up CAPTCHA?: a CAPTCHA based on image orientation,” in
Proceedings of the 18th international conference on World wide web, ser. WWW ’09. New York, NY, USA: ACM,
2009, pp. 841–850.
[10] L. von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum, “reCAPTCHA: Human-based character
recognition via web security measures,” Science, vol. 321, no. 5895, pp. 1465–1468, 2008.
[11] L. von Ahn, M. Blum, and J. Langford, “Telling humans and computers apart automatically,” Commun. ACM, vol.
47, no. 2, pp. 56–60, Feb. 2004.
[12] J. Nielsen, “Usability 101: Introduction to usability,” Jakob Nielsens Alertbox, 2003.
[13] www.w3.org/TRturingtest, “Inaccessibility of CAPTCHA alternatives to visual turing tests on the web,” W3C
Working Group note.
795