Search Icon
Submissions

Understanding reCAPTCHAv2 via a Large-Scale Live User Study

Andrew Searles (University of California Irvine), Renascence Tarafder Prapty (University of California Irvine), Gene Tsudik (University of California Irvine)

Since 2003, CAPTCHAS have been widely used as a barrier against bots, while simultaneously annoying great multitudes of users worldwide. As the use of CAPTCHAS grew, techniques to defeat or bypass them kept improving. In response, CAPTCHAS themselves evolved in terms of sophistication and diversity, becoming increasingly difficult to solve for both bots and humans. Given this long-standing and still-ongoing arms race, it is important to investigate usability, solving performance, and user perceptions of modern CAPTCHAS. In this work, we do so via a large scale (over 3,600 distinct users) 13-month realworld user study and post-study survey. The study, conducted at a large public university, is based on a live account creation and password recovery service with currently prevalent CAPTCHA type: reCAPTCHAv2.

Results show that, with more attempts, users improve in solving checkbox CAPTCHAS. For website developers and user study designers, results indicate that the website context, i.e., whether the service is password recovery or account creation, directly influences (with statistically significant differences) CAPTCHA solving times. We consider the impact of participants’ major and education level, showing that certain majors exhibit better performance, while, in general, education level has a direct impact on solving time. Unsurprisingly, we discover that participants find image CAPTCHAS to be annoying, while checkbox CAPTCHAS are perceived as easy. We also show that, rated via System Usability Scale (SUS), image CAPTCHAS are viewed as “OK”, while checkbox CAPTCHAS are viewed as “good”.

Finally, we also explore the cost and security of reCAPTCHAv2 and conclude that it comes at an immense cost and offers practically no security. Overall, we believe that this study’s results prompt a natural conclusion: reCAPTCHAv2 and similar reCAPTCHA technology should be deprecated.

Paper

View More Papers

Secure Transformer Inference Made Non-interactive

Jiawen Zhang (Zhejiang University), Xinpeng Yang (Zhejiang University), Lipeng He (University of Waterloo), Kejia Chen (Zhejiang University), Wen-jie Lu (Zhejiang University), Yinghao Wang (Zhejiang University), Xiaoyang Hou (Zhejiang University), Jian Liu (Zhejiang University), Kui Ren (Zhejiang University), Xiaohu Yang (Zhejiang University)

Read More

CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP

Stefan Gast (Graz University of Technology), Hannes Weissteiner (Graz University of Technology), Robin Leander Schröder (Fraunhofer SIT, Darmstadt, Germany and Fraunhofer Austria, Vienna, Austria), Daniel Gruss (Graz University of Technology)

Read More

AegisSat: A Satellite Cybersecurity Testbed

Roee Idan, Roy Peled, Aviel Ben Siman Tov, Eli Markus, Boris Zadov, Ofir Chodeda, Yohai Fadida (Ben Gurion University of the Negev), Oliver Holschke, Jan Plachy (T-Labs (Research & Innovation)), Yuval Elovici, Asaf Shabtai (Ben Gurion University of the Negev)

Read More

Programmer's Perception of Sensitive Information in Code

Xinyao Ma, Ambarish Aniruddha Gurjar, Anesu Christopher Chaora, Tatiana R Ringenberg, L. Jean Camp (Luddy School of Informatics, Computing, and Engineering, Indiana University Bloomington)

Read More