User verifications like CAPTCHA are necessary solutions to keep one’s website free of bad bots. But in the verification process, it’s crucial to preserve a frictionless user experience. PerimeterX product manager Gad Bornstein joins us to discuss how PerimeterX is combating bad bots and making web apps’ user experience easier using Human Challenge. Listen to the full episode here.
So user verifications—they've proven time and time again to be hard for humans and easy for bots, especially lately. How does Human Challenge differ from other CAPTCHA methods and how does it work?
Gad: That's a great question. Human Challenge offers something that most solutions don't have, which is a holistic solution that combines the power of bot management together with the signals from user verification challenges. So we get enriched data that other solutions don't get otherwise. It's not just serving a challenge or a CAPTCHA on a page, and then just hoping that bots will get tired from trying to solve the CAPTCHA. It’s actually taking the signals from PerimeterX Bot Defender early in the user journey, combining them together with Human Challenge signals and getting something that is much greater in terms of detection, protection, and identification of bots versus humans. Now, because we have this holistic solution, it enables us to minimize user friction. No crossroads, no lights, nothing like that.
We wanted a no-hassle challenge like “press and hold,” and in the future, it could take the form of other challenges as well. Now, using PerimeterX Bot Defender, only 1 out of 10,000 users, 0.01%, are receiving challenges due to detection accuracy. But once the user gets a challenge, we want as little user friction as possible. And as a result, Human Challenge takes much less time to solve compared to other challenges and CAPTCHA solutions out there. That’s our target.
Another thing that we’ve had in mind is that in the last 2-3 years, we’ve seen a trend of increased CAPTCHA solvers, CAPTCHA-solving surfaces and CAPTCHA-solving farms. We knew this was going to be a constant threat. We wanted to trace, spot and identify those services early on. So we put a lot of effort in intelligence work, as well as traps and honeypots in order to identify those attackers. Combining the three—holistic solution, minimum user friction and CAPTCHA-solving service identification—is what enables Human Challenge to be both easy for humans and hard for bots.
You mentioned speed. How much faster do users of Human Challenge solve challenges as compared to other CAPTCHA methods?
Gad: Today, the most common challenge served to web traffic is reCAPTCHA. When we compare the solve time of Human Challenge, we reach 5x faster than reCAPTCHA—this is a lot. And we see this across percentiles. It's not only the median or the 75th percentile. We see it across customers because today, Human Challenge has dozens of customers.
And it's not enough to say, "Human Challenge is faster for humans." We also measure abandonment rates of the challenge page because many times, as a user, you get reCAPTCHA and are presented with images of crossroads and lights that you need to solve, and you get tired and just leave the page. We’ve achieved between 10-15x lower abandonment rate with Human Challenge compared to reCAPTCHA. With Human Challenge, users tend not to leave the challenge page, complete the verification and continue to purchase. That’s really impactful for our customers.
Verification tools typically impede user experience and test people's patience. How does Human Challenge approach user experience?
Gad: There is some kind of a trade off in that challenge of the CAPTCHA world. You have user experience and user friction, but you also have detection. Usually detection, or detecting that a user is a bot or a human, really impacts the way your user experience looks. So our approach to that was, "Okay. We see the current challenge and the CAPTCHA solutions out there. They have to have heavy user friction in order to achieve heavy bot friction." We didn't want that. We wanted to have user friction first and then detection. Detecting bots will follow. We have that luxury because Human Challenge is a part of Bot Defender. So we designed the button to press and hold—something very lean and white-label. After a lot of research, minimum user friction was possible. Just press and hold for a few seconds and that's it.
Around that, we built heavy models of detection. We have plenty of experience in the bot identification and bot mitigation world. We see billions of attacks every day, so we know how to build those detection mechanisms, how to track false negatives, attackers passing by us, and false positives as well.
How does Human Challenge do all of this?
Gad: It combines the many capabilities of PerimeterX Bot Defender, including fingerprinting, behavioral detection and machine learning algorithms. It also pulls from all the research that was done in order for Bot Defender to be as successful as it is today. Bot Defender also works in real time, so every time a user gets a new page, we calculate their behavior, path, fingerprints and all those machine learning models. Then we get a score that defines whether you're a human or a bot. With Human Challenge, this heavy lifting all takes around 5-7 seconds.
What are the typical use cases for Human Challenge?
Gad: Typical use cases for Human Challenge are roughly the same as typical use cases for Bot Defender. We protect against account takeovers, carding attacks, scraping attacks, hoarding and many more. We do this by implementing Human Challenge where the customers need us to be. By combining Human Challenge with Bot Defender, we become better at surprising attackers, which we must do to be successful. Because every time you surprise an attacker, you actually break the attacker's automation.
What are the ultimate benefits of Human Challenge for businesses?
Gad: First of all, for us, it's providing the best user experience possible, lower abandonment rate, less time to solve and less hassle. We also allow businesses to customize Human Challenge. It's not just the CAPTCHA-type box with the pop-up of the different pictures. We enable customers to take a white-label product and customize it per their own feature, per their own page. They probably have some kind of theme on their page. It could be mobile, it could be web. We enable customers to do exactly what they need to do and make sure that Human Challenge fits perfectly to their website—whether they take vanilla Human Challenge or customize it for their own needs. The flow of Human Challenge can be customized as well. Challenges can be shown dynamically, on specific pages, for specific needs, or using specific scores or flows. It's all configurable and it's helping businesses think, "When do we need Bot Defender to trigger Human Challenge and eliminate any user friction to make sure that the user stays on their way to purchase?"
Not all bots are bad. How does Human Challenge treat good bots versus bad bots?
Gad: We love good bots. Good bots are bots like Googlebot and Bingbot and plenty more. Using the power of Bot Defender, Human Challenge has an automatic feed of good bots and known bots in general. We scrape and monitor the internet to make sure that we have the biggest database of good bots with different identifiers that IPs and user agents, and ISPs that they're coming from. So because we have these resources in Bot Defender, they can be put to good use in Human Challenge as well. We don't trigger Human Challenge on the good bots or known bots that have been allowed by the customers. It’s very easy, out-of-the-box functionality, and it’s all visible for customers in the PerimeterX Console.
We've discussed the past, present and future of CAPTCHA on the PerimeterX podcast before. So what's your vision of the future of user verification?
Gad: Good question. Surprising the attacker is first and foremost. It's all about breaking the automation and making sure that we have the right traps in place. By doing that, we can trace something that is out of the ordinary.
Second is better identification of attackers. We have a big research team that is collecting intelligence from forums and blogs and threads of attackers. They're collecting new tools, understanding new capabilities of attackers, and those attackers have clear monetization motivation. They want to gain access to accounts, product details, limited items like sneakers and tickets, and they of course attack with multiple credit cards and to conduct transactions. So the monetization of this business is there. We need to identify those attackers and their capabilities all the time. And it's not just machine learning and catching attackers by surprise—it's also better intelligence.
The third and maybe most important one, from my experience, is that if you compare Human Challenge to other present and future CAPTCHA solutions, standalone solutions are not enough. Standalones are one-off actions like simple user verification images like crosswalks and traffic lights. Bots will learn how to pass that. You need to have an overall view of what's happening on your website, a good understanding of what is a good bot versus a bad bot, how your customer ecosystem looks, and how your solution interacts with other solutions in your tech stack like fraud solutions, feedback solutions and bot solutions on the website.
So to summarize, the future will require you to surprise attackers, identify attackers better through intelligence and avoid standalones. You need to have a holistic solution.
How can PerimeterX customers access Human Challenge?
Gad: It’s super easy. They can send a quick message to support or customer success via Slack, email or any other avenue of choice. For us, it's a turn of a switch. It's very, very easy. Oftentimes, because we have many custom integrations with customers, we take extra steps to make sure that the Human Challenge integration looks perfect, and then we can move forward. But 99.9% of the time, it’s effortless to activate. We also provide A/B testing for the customer if they so desire. We've conducted A/B testing with reCAPTCHA with some customers and share the results to make sure that the customer enjoys a lower abandonment rate, shorter time to solve, better CAPTCHA solver identification and better attack blocking.
The whole experience around Human Challenge is very simple, and we are open for any feedback from customers. As a product manager, the adoption rate of Human Challenge is very fun to see. I hope it continues in that direction. We also have future plans for Human Challenge to add more dynamic challenges, to make sure that we are always innovating and bringing something new to the table. The future of Human Challenge looks bright.
For more information on Human Challenge and user verification, visit the PerimeterX Bot Defender page.