The present disclosure relates generally to computer resource security. More particularly, the present disclosure relates to systems and methods for implementing and tracking identification tests used to authenticate users.
Conventionally, an identification test is implemented by an entity in control of a computer resource to determine to what extent, if at all, a user should be granted access to the computer resource. For example, a web site publisher may implement an identification test to authenticate a user, i.e., to determine whether the user is who he purports to be. Based on the outcome of the test, the publisher decides whether the user is authorized to access the requested resource (e.g., to view a web page, to post a comment on a discussion forum and/or to perform a transaction via the web site).
This type of identification test is conventionally implemented as a challenge-response protocol executed between the publisher and the user. The publisher generates and serves to the user a challenge message soliciting a piece of information, such as an answer to a predetermined security question and/or a value derived based on a cryptographic secret known only to an authentic user. The user must respond to the challenge by providing the solicited piece of information, and the publisher determines whether the user has passed the identification test by examining the user's response.
The publisher may also implement an identification test to determine if a user is a human user or a software robot (“bot”) programmed to simulate a human user. This allows the publisher to restrict access by bots while continuing to provide access to humans, and is therefore desirable in settings where bots pose a security threat. For example, the publisher may implement this type of identification test to prevent bots from creating numerous new accounts and using the new accounts for illicit or nefarious purposes such as phishing, spoofing and/or spamming.
Some conventional identification tests for distinguishing between human users and bots incorporate static images into challenge messages to be served to users. For example, in an image-based challenge called a “Completely Automated Public Turing Test to Tell Computers and Humans Apart” (“captcha”), a static (graphic) image is presented in the challenge message and the user is asked to respond based on the content of the static image.
Several variants of static image captchas have been proposed, including the Gimpy, Bongo and Pix tests described below.
FIG. 1 shows an example of a Gimpy test, in which a word (e.g., “trounce”) is selected from a dictionary and is displayed in a distorted and/or deformed fashion in a static image 102. The user is prompted to enter the displayed word in a text field 104 and is deemed to have passed the test if the entered word matches the displayed word.
FIG. 2 shows an example of a Bongo test, in which a user is prompted to solve a visual pattern recognition problem. In this example, the challenge message contains a static image that shows, on the left-hand side, symbols 202 drawn with relatively heavy line weights and, on the right-hand side, symbols 204 drawn with relatively-light line weights. The user is expected to recognize this pattern and respond by indicating to which group (left or right) a separate symbol 206 belongs. As shown in FIG. 2, the user may indicate a group by clicking on one or more check boxes 208.
In a Pix test (not shown), several different static images are displayed to a user, and the user is prompted to name a subject common to all of the displayed images.
Sound-based captchas have also been proposed to accommodate visually impaired users. For example, in an Eco test, a word or sequence of numbers is selected and rendered into a distorted sound clip. Upon playing the sound clip, a user is prompted to enter the content of the sound clip and is deemed to have passed the test if the entered word or number sequence matches the actual content of the sound clip.