An entity in control of an online resource may wish to allow human users to access the web resource, while simultaneously limiting or restricting access to the web resource by software robots (or “bots”) programmed to simulate human users. For example, a website publisher (e.g., publisher of an e-commerce or a financial institution portal) may wish to restrict bots from accessing webpages of the website and/or performing transactions via the website. The ability to restrict access by bots, while continuing to provide access to humans, is desirable in settings where bots pose a security threat. For example, an operator of a financial institution or e-commerce portal may wish to prevent bots from creating numerous new accounts and using the new accounts for illicit or nefarious purposes such as phishing, spoofing, and/or spamming. As another example, a website operator may wish to prevent bots from accessing webpages so that the website is not flooded with bot traffic, which may prevent human users from accessing the website, as the case may be during a denial of service attack.
One conventional approach for distinguishing between human users and bots relies on a challenge called a “CAPTCHA”, which is an acronym that stands for a “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” In a conventional CAPTCHA challenge, an image representing a distorted text string is sent to a user's device (e.g., as a GIF, JPG, or PNG file part of a webpage), the user's device displays the image for the user to see, and the user enters and submits a text string that the user believes is represented by the image (e.g., using a text field in the webpage). When the text string entered by the user matches the text string represented by the image, the user is deemed to be a human user and is allowed to access a web resource (e.g., to access a webpage, perform a transaction, post in a discussion forum, etc.).