[derefr]

You could embed a very-lightweight crypto-miner script into the page, with explicit UI acknowledgement (i.e. it starts when the user presses the "Verify" button, it displays that it's working and how hard it's working; and it runs until it produces exactly one target hash, at which point it clearly stops), and targeting an artificially-tuned difficulty such that a regular PC should be capable of completing in a minute or two (rather than trying to actually mine for any real blockchain network, which would require absurdly-high hash power.)

This is basically how "e-stamp" system proposals were supposed to work for email; but they never took off because email is an ossified system. The web is not ossified; individual websites are free to implement something like this.

If you're worried about spammers just throwing a GPU farm at the problem: the overlap between spammers and people who own crypto-mining operations is small; and the people who own crypto-mining operations have much-more-profitable things to point them at. So this should mostly stymie spammers—individuals will be okay with sitting around on the page for a couple minutes to complete the action, but it'll throttle spammers' actions way down, to the point where it's mostly not worth it to attack that site any more, vs. some other site (i.e. it'll have the same relative-deterrent effect that putting a club on your car does.)

You could even frontload the work, turning it from a proof-of-work system into a proof-of-stake system. Have the user "buy in" with a large hash workload during user registration; and then trust them from then on. (This is the better approach for a mobile app: direct them to register on the app's website on a PC, and then you can trust that user on the much-lower-powered mobile device, despite that device never generating a token.)

-----

An effectively strictly-equivalent approach is to just charge the user a dollar to complete certain actions.

One famous example of this is the SomethingAwful forums, where registrations cost $10. You can register as many times as you like—i.e. if your account gets banned, there's nothing stopping you from just coming right back again—but you'll need to pay another $10. Seems to work fine, in terms of making it too costly to keep doing anything the site bans people for.

[rattray]

I like the cleverness and simplicity of the bitcoin mining approach, but the tradeoff between "takes too long, damaging our signup flow" (where anything more than 5 seconds is likely to have a material impact) and "doesn't take long enough, making it too cheap for bots to proceed" may be quite tricky.

Charging a buck is extremely simple, and fair. The SA example tickles me.

I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1 if given the option between the two.

[brokenmachine]

> I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1

Another commenter said that the market rate for reCAPTCHA solving is 1c each, so $1 is probably more than most would pay.