Humanity verification

Apps designed for human users can protect against application attacks by verifying the likelihood of a user being human. This verification can occur early in the user journey or be delayed until the user attempts an action that is costly to process or sensitive in nature.

Telling humans and bots apart is a difficult problem that requires balancing security, privacy, usability, and accessibility. No method is 100% accurate, but, depending on your threat model, the following tests can be sufficiently difficult and expensive to be effective indicators of a user’s likelihood of being human.

CAPTCHAs

A CAPTCHA is a challenge-response test to determine whether a user is human. Although not as effective as they once were, and despite the accessibility and usability issues they pose, CAPTCHAs still make such attacks more challenging and expensive for the attacker.

Attackers can build the capability to solve CAPTCHAs in-house or use a CAPTCHA solving service. Either way, this is possible with the use of Machine Learning and/or low-paid workers. Large Language Models (LLMs) can solve CAPTCHAs too, but not at scale yet.

Turnkey CAPTCHA products include:

Pricing provided by CAPTCHA solving services is a reliable indicator of the CAPTCHA’s efficacy; the more it costs to solve, the more effective the CAPTCHA is likely to be.

Environment and behaviour analysis

Some solutions use a combination of signals to determine whether a user is human without any user interaction, except in the most suspicious cases where the user may be asked to click or tap a checkbox. These signals include IP reputation, operating system or browser fingerprinting, and the user’s interaction with the app. The output of the test is a score that indicates the likelihood of the user being human and not malicious.

Turnkey solutions include:

Cloudflare Turnstile, which requires the application layer proxy from Cloudflare and therefore only works in Web browsers. It also uses Private Access Tokens and cryptographic challenges.
GeeTest OneTap, which also uses cryptographic challenges.
Google reCAPTCHA v3, which poses significant privacy concerns.

Like CAPTCHAs, these too can be defeated by CAPTCHA solving services.

Remote attestation

This is a process by which a device cryptographically proves its identity, hardware configuration, software integrity, and security posture, to a remote verifier. Remote attestation leverages secure, embedded hardware components like Apple’s Secure Enclave, and its availability varies by system:

Android offers the Play Integrity API.
Apple offers the DeviceCheck services.
No other mainstream platform provides a turnkey solution, but partial solutions could be built using the hardware’s attestation functionality directly. However, we wouldn’t recommend this as it can be a complicated exercise, and Intel SGX, one of the most widely available implementations, is riddled with flaws.

Remote attestation can be used to verify that the client is running on a genuine device designed for humans (e.g. laptop, smartphone), as opposed to a headless computer (e.g. server, router), which can be a proxy for the user being human.

It should be noted that the use of remote attestation is controversial, as it has the potential to limit competition and innovation, and degrade the user experience of those using incompatible systems (e.g. Linux).

Private Access Tokens

Private Access Tokens (PATs) is a privacy-preserving protocol for remote attestation on the Web. It’s based on Privacy Pass, a more generic protocol for replacing CAPTCHAs on the Internet (not just the Web).

PATs are only supported by recent Apple devices; neither Google nor Microsoft have publicly expressed any interest in the protocol as of early 2024. They’re also supported by reverse proxies (i.e. Cloudflare and Fastly), and hCaptcha.

Like remote attestation in general, PATs has been criticised for its potential to limit competition and innovation, and degrade the user experience of those using incompatible systems.

User presence tests

User presence tests are challenges that require the user to demonstrate their presence by physically interacting with a secure hardware device, such as a Yubikey or the fingerprint reader on a smartphone. This may be as close as we can get to verifying that a human is performing a particular action.

To defeat these tests, an attacker would need to operate a click farm with many such devices, and automate their use through low-paid workers or robots. This is expensive and difficult to scale; especially when the number of operations performed in a given time frame is limited.

Cryptographic Attestation of Personhood

The Cryptographic Attestation of Personhood (CAP) is a novel, privacy-preserving, user presence test, and the only such protocol to be operational as of this writing. It leverages the WebAuthn standard, so it’s only available in Web browsers.

CAP is currently only supported by Cloudflare, but they’ve made the core of the protocol available as an open source library.

A proof of concept of a click farm to defeat CAP has been documented, highlighting the difficulty of scaling such an operation.

User presence tests in native apps

There’s currently no turnkey solution for user presence tests in native apps. However, it should be possible to create a version of CAP that doesn’t use WebAuthn.

Proof of Personhood

Proof of Personhood (PoP) is, in theory, the ultimate form of humanity verification. In practice, the reliability of each solution is determined by the quality of the signals used (e.g. biometrics, government-issued id documents, social connections).

PoP is simply mentioned here for completeness, but we strongly advise against using any PoP solution to mitigate DDoS attacks. Whilst promising, this field isn’t mature enough, lacks any meaningful adoption, and its flagship solution poses significant privacy concerns.