| You're right that most of these signals are spoofable in isolation. FCaptcha doesn't make pass/fail decisions on any single signal. It's weighted ensemble scoring across ~50 signals, where the cost of spoofing all of them simultaneously is the actual defense. Addressing a few specific ones: PoW CPU cost: Difficulty is adaptive — 4 for residential IPs, 6+ for datacenter. On modern hardware that's ~200-800ms. For 1M users/day that's ~55-220 CPU-hours total, distributed across clients. It's comparable to what Cloudflare Turnstile does. Keyboard-only users: Already handled. If keyEvents >= 2 and totalPoints === 0 (tabbed + Enter/Space), all mouse-based detections are skipped. No false positives on keyboard users. "Can be recorded/replayed": signals are SHA-256 hashed and bound into the PoW input before solving. You can't solve PoW first then attach recorded signals... the hash won't match. Replaying old signal sets also fails because each challenge has a unique nonce.
Micro-tremor at 125Hz: Fair point... low polling rate mice produce less granular data. It's weighted low and only contributes when data is available. Not a gatekeeper.CDP userGesture: true: Good catch. We detect CDP-specific artifacts (Runtime.evaluate residue, protocol binding flags), but you're right that a custom Chromium build sidesteps this entirely. The honest answer: a sufficiently motivated attacker with a custom Chromium build can beat this. The goal is to make that cost high enough that it's cheaper to just solve the CAPTCHA legitimately or move to an easier target. Same tradeoff Cloudflare makes, but open source and privacy first. Where I think the real gap is: server-side signals (IP reputation, TLS fingerprinting, rate patterns) and that's really what our paid bot detection is for. https://webdecoy.com |