Industry · · 7 min read

In Devices We Trust: Improving CAPTCHA Friction

Are your users annoyed by constantly being hit with CAPTCHAs? Find out what how you can improve the user experience while keeping your site secure

In Devices We Trust: Improving CAPTCHA Friction

In previous articles we’ve discussed different options for CAPTCHAs and which types of fraud and abuse they protect from. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security measure designed to prevent automated bots from interacting with websites in harmful ways. However, their frequent appearance can negatively affect user experience. Users may need to solve a CAPTCHA every time they perform certain actions, leading to frustration and potentially causing them to leave your site.

One potential solution to this problem is implementing a 'Device Trust' system, which can significantly reduce the frequency of CAPTCHA prompts for returning users. Analogous to how your login session is preserved after entering correct credentials, we can use a similar concept to store the state of a successfully completed CAPTCHA.

So how ‘Device Trust’ can be implemented, and what are some technical considerations? Simply put, 'Device Trust' is a way to identify a device as 'trusted' once a user has successfully completed a CAPTCHA. When this is done, the user’s device will no longer be prompted for CAPTCHAs until a given time has passed. Implementing this scheme has several benefits:

Implementation

Below is a high-level outline of how a device trust scheme is implemented. In the steps below I’m using Google’s reCAPTCHA, but it’ll work with any provider as the general interface is similar between them.

Trusting devices that completed a CAPTCHA, for a better user experience

Step 1: Set up reCAPTCHA for your site

First, sign up for a reCAPTCHA API key pair for your site. Once you've got your Site key and Secret key, you can embed the reCAPTCHA widget in your website. To implement the step where you present the CAPTCHA to the user, you need to build a special page that is used for this purpose, and which the server can redirect to in case a CAPTCHA is necessary (similar to the login page for unauthenticated users).

In order to explicitly render the CAPTCHA prompt, instead of relying on automatic detection, use the grecaptcha.render() method.

Step 2: Implementing reCAPTCHA Verification

After a user interacts with the reCAPTCHA widget and submits the form on your site, the user's response will be checked by Google's servers. If the response is successful, Google sends a g-recaptcha-response token to your backend. To complete the verification use the `verify` call to verify the token.

Step 3: Trusting a Device

Once the g-recaptcha-response is verified, the server can set a secure, HTTP-only cookie in the user's browser. This cookie is a signifier that the user has passed the CAPTCHA previously, and their device can be 'trusted'. Be sure to give the cookie an appropriate expiration time - the exact length can depend on your specific security requirements.

There are two (or three) options for implementing the part of managing trusted device state:

  1. Using and storing a secure HTTP-only cookie in the browser. This has the benefit of being easier to implement, but gives you less control, e.g. for revoking trusted devices – and in a multi-server environment you need to make sure that all servers share the same encryption keys
  2. Generate a UUID and store this in a cookie + database. By using something like Redis or Memcached you can store this UUID with an automatic expiration date according to your preference. This approach involves a more complex implementation, but gives you more control to e.g. revoke already trusted devices.
  3. Alternatively, you could store the trusted state in the user's session. Although this won't maintain a trusted device status across multiple login sessions, it can effectively reduce friction for sensitive in-app actions that would usually prompt a CAPTCHA.

Step 4: Checking for Trust

Whenever the user performs an action that you’d like to protect, such as a login, settings change or a withdrawal, instead of directly invoking a CAPTCHA test, your server should first check for the presence of and then validate the 'trusted' cookie before presenting the CAPTCHA. If the cookie is found and valid, the user can continue without having to solve it.

Step 5: Handling Cookie Expiry and Renewal

Over time, the 'trusted' cookie will expire. When this happens, and the next time the user performs a significant action, the server should prompt for a CAPTCHA once again. Upon successful completion, the server should renew the 'trusted' cookie.

It’s important to remember that cookies are device-specific. If a user switches devices or browsers, they may have to complete a CAPTCHA again to 'trust' the new device.

Choosing Expiration Time

Choosing an appropriate expiration time for a 'trusted' device cookie or token can be a balancing act between enhancing user convenience and maintaining system security. The perfect balance depends largely on the nature of your business and the user behavior. It’s also possible to change the expiration dynamically, based on the user’s general trust level, as discussed in the “Trust Progression” section of our post on Using Zero Trust to reduce fraud and abuse. Below are some factors to consider:

1. Nature of the Business:

2. User Behavior:

3. Security Concerns:

Monitoring and Adjusting

It’s highly recommended that you monitor the performance of your CAPTCHA implementation, and if the Device Trust scheme affects the user experience positively, then you can make appropriate adjustments. Monitoring can help you identify and address issues before they become significant problems. E.g. if there's a sudden spike in failed logins or CAPTCHA challenges, it might indicate a bot attack or another form of malicious activity.

1. Metrics to Monitor:

First, define what metrics you need to monitor. These can include:

2. Analyzing the Data:

Collect and analyze the data on a regular basis. Use statistical analysis and data visualization tools to identify trends and correlations.

3. Making Adjustments:

Based on the data, you can make informed decisions about adjusting your device trust system. For example, if you find that users are frequently facing CAPTCHA challenges despite being regular visitors, you might decide to extend the trust expiration time.

4. A/B Testing:

Consider running A/B tests to find the optimal settings. For instance, you could use two different expiration times for different groups of users and see which one results in a better balance between user experience and security.

5. Continuous Monitoring:

Remember that what works best may change over time as your user behavior, business needs, and threat landscape evolve. Therefore, you should repeat this process of monitoring, analyzing, and adjusting on a regular basis.

By measuring and analyzing these metrics, you can strike a healthy balance between user experience and security. This data-driven approach allows you to make evidence-based decisions and continually optimize your device trust system.

Security considerations

While the solution outlined above is generally secure, there is a possibility that an attacker can solve the CAPTCHA once to obtain the device trust cookie, and then re-use this in a script to bypass CAPTCHAs until the cookie expires. In order to mitigate this risk there are a few options that will make it harder for an attacker:

Conclusion

Implementing a 'Device Trust' system using reCAPTCHA can be a significant step in enhancing user experience on your platform. By reducing the frequency of CAPTCHA challenges for returning users, you retain necessary security measures while ensuring your site remains user-friendly. As with all security measures, it's essential to monitor the system for any potential exploits and make updates as necessary to maintain the balance between security and user experience.

With Castle, you can implement and manage a scheme for trusting devices, as well as get continuous monitoring of performance, with minimal effort. Sign up for a free trial to explore how you can reduce friction for your users.

Read next