• Samuel Proulx@rblind.comOPM
      link
      fedilink
      English
      arrow-up
      7
      ·
      30 days ago

      Proof of work is pretty good. Also, email and phone number verification can reduce the need for this type of verification at all. Similarly, punting the problem to someone else and allowing login via Apple/Facebook/other open ID provider can help. Apple also has a system for verifying that a request comes from a real apple device that services like cloudflare use. But if you have to do it yourself, the key is offering a visual captcha, an audio captcha, and a text-based captcha. Also, try to maintain a trust score for both accounts and IP addresses. Captchas have to made so difficult today to keep out the bots that you need to make sure your users only have to solve them once. As well, if I know the captcha will only happen once, while it’s not ideal, I could request help with it. But if the captcha is on every login, or once a day or whatever, I can’t. Between proof of work, rate limiting, and email verification, and trust scores, 99 percent of captchas aren’t needed and aren’t doing anything. So the first step is understanding the problem you’re trying to solve, and determining if a captcha is the best way to solve it at all. It probably isn’t.

      • CameronDev@programming.dev
        link
        fedilink
        English
        arrow-up
        4
        ·
        29 days ago

        Thanks for that info. Fortunately, I probably wont ever need to implement any form of anti-bot myself, but still good to know what works well.

        Captchas are definitely getting very hard, even for non-blind users. Getting “Click on all the bicycles” and missing the 5 pixels tall bike and having to restart is very frustrating.