Cos'è un CAPTCHA nel SaaS?

SaaS CAPTCHA is a cloud-hosted security service that, by presenting users with simple tasks, verifies their human nature. Such challenges are a critical factor in keeping digital platforms “intact,” as they prevent automated bots from carrying out mass actions such as creating multiple accounts, sending spam, or fraudulent purchasing.

Modern features of CAPTCHA:

•   Adaptive Risk Analysis: Newer versions, such as Google reCAPTCHA v3, assess a user’s potential risk level by monitoring their actions, potentially reducing the reliance on traditional challenges.
•   Multimodal Challenges: They may offer various tasks, such as recognizing images (“click on all traffic lights”), reading distorted characters, or ticking a checkbox (“I’m not a robot”).
•   Accessibility Support: These tools include visual and audio features, which could have implications for users with visual impairments and their adherence to ADA and WCAG standards.
•   Integration: SaaS API connectivity enables security features that may relate to the extent of reliance on manual software updates.

Regardless of intent, SaaS CAPTCHA solutions vary based on security and user friction levels.

•   Text-Based CAPTCHA: The original model, requiring participants to recognize jumbled letters and numbers.
•   Image-Based CAPTCHA: Selection of target objects from a group of images (“all squares with bicycles”).
•   Math or Logic Challenges: Besides raising the level of difficulty, they serve as a mental test, e.g., simple addition or “drag-and-drop” type of puzzles.
•   Invisible CAPTCHAs: They analyze user behavior, such as mouse movements and typing styles, in the background, only making the user aware of a CAPTCHA when robot-like behavior is detected.

When a SaaS CAPTCHA is implemented, it is equivalent to a “Turing test,” humans can manage it easily, whilst bots would not be able to unless they expend a lot of resources. Introducing a manual step in the checkout process could have an impact on automated attack methods such as “carding” or “credential stuffing.”

Examples of Using CAPTCHAs:

•   A CAPTCHA may appear following several unsuccessful login attempts, serving as a potential deterrent to brute-force attacks.
•   Retailers implement these measures, aiming to direct limited-edition items towards genuine customers rather than automated purchasing systems.

Rather than setting CAPTCHA off arbitrarily, merchant security systems are designed to react to certain behavioral “signals” indicating that an area being browsed is by a non-human entity.

Usual Causes:

•   Velocity Patterns: Form submissions completed at a rate exceeding typical human capabilities may indicate unusual activity.
•   IP: Traffic from data centers or VPNs is frequently associated with the need for authentication challenges.
•   The pattern of accessing checkout without prior product page visits is sometimes observed in automated systems.
•   Browser Headers: A notable difference between the user’s declared browser and their actual technical fingerprint could be a potential explanation.

SaaS CAPTCHA solutions are often associated with a specific security level and infrastructure investment. The vendor’s cloud-managed system updates algorithms, which may influence the extent of manual maintenance needed by the merchant.

User accessibility is one aspect to consider. In scenarios where conversion rates are high, time spent on a challenge and shopping cart abandonment may be related. Despite the prevalence of CAPTCHA methods, their accessibility for users with disabilities is essential. Furthermore, some advanced bots’ support for human solvers may influence their success in combating persistent attackers.

For​‍​‌‍​‍‌​‍​‌‍​‍‌ merchants worrying about “challenge fatigue” leading to losing customers, here are some alternatives that might work for them.

•   Behavioral Biometrics observes user behavior in mouse movement, typing rhythm, and phone handling, and performs user verification without significant disruption.
•   Device Fingerprinting constructs an identifier from a user’s hardware attributes, potentially permitting recognized devices to avoid some security screenings.