Captcha Goes Real Time to Fool Machine Learning
The next thing in biometric authentication could be a new version of something already familiar to web users — Captcha, the tried, true and too often maddening method of convincing a site you’re not a bot by typing in distorted letters and numbers on the screen.
Researchers at the Georgia Institute of Technology, working with funding from the U.S. military, have developed what they call Real-Time Captcha, a technique that combines authentication techniques into one interaction, requiring the user to look into a smartphone’s camera and spot and answer a random question, while the program matches the user’s face and voice to pre-recorded settings. In essence, the program asks a question and then watches and listens as the user answers it.
The big advantage to the system, researchers say, is speed. Human users can get through the process faster than an artificial intelligence or machine reading program can answer the question, while finding and/or manipulating an image or voice recording. In tests with 30 subjects, human users handled the challenge in a second or less, while even the fastest machines took between 6 and 10 seconds, making it fairly easy to determine if the authentication is being attempted by a human or a bot.
“If the attacker knows that authentication is based on recognizing a face, they can use an algorithm to synthesize a fake image to impersonate the real user,” said Wenke Lee, a computer science professor and co-director of the Georgia Tech Institute for Information Security and Privacy. “But by presenting a randomly-selected challenge embedded in a Captcha image, we can prevent the attacker from knowing what to expect. The security of our system comes from a challenge that is easy for a human, but difficult for a machine.”
Captcha — a word originating as an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart — grew out of hackers’ efforts to slip through internet filters by substituting symbols for letters, and came into wide use in the early 2000s as a way to confound automated bots trying to pose as people when submitting a web form to, say, buy tickets, post a comment or sign up for a service.
But it has not always worked perfectly, to put it kindly. Sometimes, it doesn’t work at all.
As detailed at The Balance, some Captcha programs differentiate between upper and lower case, but some don’t. Use of some fonts can lead to confusion between an uppercase “I” (sounds like “eye”), a lowercase “l” (“el”) or the number 1. Zero and the letter O can get mixed up, as can numbers such as 2 and 5, and 6 and 8, when squiggled to extremes. Some programs also deter hackers by having the code expire fairly quickly, so after a few minutes, nothing you try will work, and the only option is to give up.
And as machines got better at beating Captcha, some programs only got more complicated. In 2014, Google abandoned Captcha and replaced with a button that says, “I am not a robot.” When it works, it works well, but many people really don’t like Captcha.
Nevertheless, hackers and their bots are still out there, and smartphone face-recognition systems can be hacked, so more than one level of authentication is necessary. And Real-Time Captcha, based on what Georgia Tech researchers have shown, could be somewhat different. Responses are verbal and visual, and are used in addition to image and audio authentication that could be stolen from devices or faked by modified images, video or voice recordings. It also has a short time limit machines can’t match.
“The attackers now know what to expect with authentication that asks them to smile or blink, so they can produce a blinking model or smiling face in real time relatively easily,” said Erkam Uzun, a Georgia Tech graduate research and lead author of the team’s paper, which was presented at the recent Network and Distributed Systems Security Symposium 2018 in San Diego. “We are making the challenge harder by sending users unpredictable requests and limiting the response time to rule out machine interaction.”
The challenges could be unscrambling letters or solving easy math problems, giving the answer before a machine could even recognize the question.
“Using face recognition alone for authentication is probably not strong enough,” Lee said, “We want to combine that with Captcha, a proven technology. If you combine the two, that will make face recognition technology much stronger.”
The Georgia Tech research is backed by the Office of Naval Research and the Defense Advanced Research Projects Agency, both of which have an interest in developing mobile device authentication techniques for the military.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Biden Signs New Tech Executive Orders Before Departing Office
Joe Biden signed two new executive orders this week promoting future cyber and AI priorities before Donald Trump takes office Monday.
5m read -
DODIN Strategy Aims to Outpace Cyber Threats
JFHQ-DODIN Commander Lt. Gen. Paul Stanton says the new "How We Prevail" plan moves from reactive defense to proactive threat mitigation.
4m read -
Preparing for the Future Cyber Landscape
CISA, CFPB and Rubrik discuss how they’re building cybersecurity best practices and developing their workforces to prepare for the future threat landscape and bolster cyber resilience.
30m watch -
Air Force Chief: Modernization Is Critical to Maintaining Superiority
Air Force Secretary Frank Kendall cites AI, automation and cyber resilience as key modernization components to outpace China by 2050.
3m read