[slothsarecool]

Ever since ML has reached the "general public", developing models against hearing or vision based CAPTCHAS has become trivial.

Sure, you have to emulate or simulate the client JS challenges but when bots are running browsers in the background you can only do so much.

I wonder what the future of captchas, if any, will look like.

[judge2020]

It's identity, which is why Google shows "Your computer or network may be sending automated queries" message on recaptcha if you trigger too many heuristic and IP reputation signals to be classified as a bot. That's why, for Google, you get to carry around your reputation in the form of your Google Account, and for Cloudflare, they have private access tokens[0] (which might be the only reason you don't get blocked by every CF site on iCloud Private Relay), and otherwise Cloudflare's big ambition is "human attestation" via WebAuthn credentials[1,2].

0: https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

1: https://cloudflarechallenge.com/

2: https://blog.cloudflare.com/introducing-cryptographic-attest...

[slothsarecool]

However, that's not a solution but a patch.

Google accounts give you a good score and tend to deliver easy captchas while dealing with Recaptcha; however, for this reason, google accounts are being sold and bought constantly.

People have tried similar fight tactics in the past. SMS and phone verification have failed because the return on investment is far greater than the price barrier it adds to get any of those "virtual identities".

iPhones might work but then, for how long? If you guarantee that an IPhone won't get captchas, it's a good investment to buy many old(or new) ones and sell token access to skip any captcha.

Many farms already have thousands of phones scrolling through youtube videos to get views, likes, and other stats for videos/channels.

The same "logic" applies to yubikeys and similar auth hardware; attackers can exploit it similarly.

Companies will tell you that they have abuse policies and actively fight abuse/bot farms, but again, they are not solving a problem but solving the problem with tape.

ReCAPTCHA was very useful for a while, it did genuinely stop bots reasonably well, but none of the "newer" versions seem as efficient as the older versions used to be. Progress stopped after V2.

[ajsnigrutin]

...which really sucks when you try to use any of those sites via tor (no cookies, "bad" IP) or at a place with a shared external IP (public access points).

Open google.. captcha... every page has a 5 second cloudflare page before opening the page itself.

Bots have the time, they can wait and do other stuff in the meantime, but we, humans get bothered by that.

[ripperdoc]

I've also wondered about the more speculative future of CAPTCHas - e.g. how to prove you are human when ML get better and better. Would be fun to add to the near future sci-fi I'm sometimes writing. I'd imagine CAPTCHAs could go towards social proofs ("Carl is asking you to verify he is human, are you sure?", doing things in the physical world ("Go out and make <this gesture> to the Google satellite") or being asked more and more difficult world reasoning questions, those that GPT (so far) struggle with.