Proton, the company behind the end-to-end encrypted Proton Mail, released PRoton CAPTCHA, a layered system to differentiate between humans and bots.
For the past decade and a half, CAPTCHAs and reCAPTCHAs have served as resource gatekeepers to deter bots from creating fake accounts, spamming forms, and executing brute-force attacks to guess usernames and passwords. The idea is to set a task that must be completed before granting access—and make it easy for a human to do but very difficult for a bot.
However, CAPTCHA visual challenges, such as transcribing a set of distorted characters or selecting all images with traffic lights, have become vulnerable to advancing image analysis tools and human solver services while remaining annoying to legitimate users. Organizations concerned about potential privacy issues may not be comfortable with reCAPTCHAs (the “I am not a robot” checkbox) because they rely on behavioral analysis and the server examining user history to winnow out suspicious users. Scammers are including CAPTCHA-solving services in their automated attacks. The increased use of large language models (LLMs) is also worrying: a technical report on GPT-4’s capabilities revealed that the LLM was able to persuade a human TaskRabbit worker to complete a visual CAPTCHA puzzle.
Proton CAPTCHA consists of three levels of discernment: computational proof-of-work tasks, visual challenges, and bot detection that the company said preserves user privacy. The system presents proof-of-work challenges for the user’s device to solve in the background, without bothering the user; meanwhile, it also runs detection tests to look for botlike identifiers. Friendly Captcha and mCAPTCHA also perform those two steps. What Proton CAPTCHA adds is a visual puzzle to solve, akin to the original CAPTCHA. The combination of the three actions, Proton said, makes it more expensive for automated account creation and abuse.