Page MenuHomePhabricator
Create Task
Maniphest T354234

AttentionPlease -- audio CAPTCHA
Open, Needs TriagePublic
Actions

Description

I read the paper Blind and human: exploring more usable audio CAPTCHA designs by Valerie Fanelle et al. They suggest a kind of captcha called "Categories", in which the user is asked to count the number of times a particular kind of sound (such as a bird chirp) occurs. Users were often able to answer this challenge successfully, however they noted that it is easily defeated by guessing, that is, answers have low entropy.

It occurs to me that the entropy could be increased, and the mental load reduced, by asking the user to click a button at each occurrence of the target sound, rather than mentally counting the instances. We can record the timing of the clicks and classify the response on the server.

Development of a practical captcha along these lines would still be very daunting if the goal was to defeat an AI trained to distinguish sounds in the target category. But if we reduce the security goals to merely deterring bot authors who have a limited motivation, then the task becomes more tractable. Instead of a large private library of sounds in various target categories, we can make do with just a single sound mixed into a single background. This would still be more secure than the existing visual CAPTCHA, which can trivially be defeated with OCR tools that are already integrated into the relevant bots.

So I wrote a demo of this concept which I am calling "AttentionPlease".

Try the demo

The demo audio was constructed using Audacity from freely licensed source sounds. It is delivered to the browser as an MP3 obfuscated by XORing with a 32-bit key. Part of the key is sent as a response header.

There are a lot of tunable parameters.

Challenge sequence:

  • Ask the user to click the button to start. This avoids starting the sound while the screen reader is still reading, and it ensures that the user has moved their virtual cursor to the button they will need to press during the game phase.
  • 0 - 0.5: fade in
  • 0.5 - 3.0: background
  • 3.0: Fixed prompt
  • 3.0 - 8.0: background
  • 8.0: Hint loop. If the user has not clicked the button, stop the audio. Write a text reminder and restart from the start of the sequence.
  • 8.0 - 28: Five prompts are delivered at random intervals.
  • 28 - 29.5: background
  • 29.5 - 30: fade out

Scoring:

  • Match prompts with subsequent clicks with a limit of 4 seconds. The score is 1 at a latency of 0, ramping down to 0 at a latency of 4 seconds. Note that the Mozilla documentation on currentTime threatens to round times to the nearest 100ms.
  • Additional unmatched clicks receive a score of -1.
  • The scores are added, and then the total is normalized to a percentage.
  • I am typically scoring 80-90. I suggest a passing score of 70.

Implementation notes:

  • An easy to use reCAPTCHA style API would be nice, but reuse by non-WMF websites could incentivise efforts to break it.
  • ConfirmEdit has no support for user-selectable alternative or mixed captchas. Substantial refactoring of the extension would be needed.
  • Like FancyCaptcha, challenges can be generated and stored ahead of time. However unlike FancyCaptcha, it is probably not feasible to store the solution in the URL.

Related Objects

Event Timeline

tstarling created this task.Jan 3 2024, 4:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 3 2024, 4:30 AM
tstarling mentioned this in T6845: CAPTCHA doesn't work for people with visual impairments.Jan 3 2024, 4:31 AM
Graham87 added a comment.Jan 3 2024, 4:37 AM

As a screen reader user, I think this sounds really cool ... I'd never heard of this type of CAPTCHA before! Thanks for your work on this and putting up the demo. I'm scoring around 90 as well ...

Stang subscribed.Jan 3 2024, 5:24 AM
fnegri awarded a token.Jan 3 2024, 10:31 AM
fnegri subscribed.
tstarling added a comment.Jan 4 2024, 12:40 AM

There was a scoring bug which gave extra points to early responses, which I fixed.

I modelled the scores achieved by guessing. With parameters similar to the demo audio, submitting equally spaced times achieves an average score of 42, and 9% of guesses exceed a score of 70.

Delivering 5 prompts in 20 seconds is a bit tight, considering the score timeout parameter of 4 seconds.

Increasing the effective challenge time from 20 to 25 seconds reduced the average score by guessing from 42 to 25, and reduced the probability of exceeding a score of 70 from 9% to 1.6%.

Reducing the score timeout parameter also works to reduce guessing scores, although this reduces human scores proportionally. If you want typical human scores to be 80-90 then the timeout should be 4 seconds.

I uploaded the demo code to https://github.com/tstarling/attention-please

Tgr awarded a token.Jan 4 2024, 1:19 AM
MJL subscribed.Jan 8 2024, 5:54 PM
tstarling updated the task description. (Show Details)Jan 10 2024, 2:34 AM
Daimona subscribed.Jan 12 2024, 5:23 PM
kostajh subscribed.Jan 15 2024, 9:10 AM
Bawolff subscribed.Feb 12 2024, 4:44 PM
Volker_E subscribed.Feb 13 2024, 11:09 AM
Nardog subscribed.Feb 23 2024, 6:17 PM
HouseBlaster awarded a token.Mar 10 2024, 2:29 AM
HouseBlaster subscribed.
HouseBlaster added a comment.Mar 20 2024, 7:31 PM

Can I suggest that this be released under the GPL? I think decreasing the number of websites which can use it would be A Good Thing, as it would to disincentivize breaking it.

valerio.bozzolan subscribed.Sun, Apr 21, 1:35 PM
valerio.bozzolan added a comment.Sun, Apr 21, 1:43 PM

This solution is interesting. Even if it probably will never work without JavaScript.

I have a friend of mine (castix) that visits websites only using lynx (text-based browser web) and they think that this solution is really promising, but unfortunately it probably does not cover that specific case.

Moreover, sometime, some people may have not enough reflection skills to answer. I indeed don't talk about "normal" visual impairment, I talk about some forms of visual + intellectual disability (I'm not an expert in this field).

Unfortunately I have not any additional idea about how to overcome this.

Volker_E unsubscribed.Mon, Apr 22, 7:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL