NuCaptcha.com

Adaptive Captcha Authentication

NuCaptcha Security Features

Security is a constantly changing industry. That's why we have a team of people at NuCaptcha dedicated to monitoring the current security situation and tuning the platform accordingly.

One security feature of the NuCaptcha Security Platform is the Animation System. This helps NuCaptcha to be both the most secure and easiest to use Captcha system available.

Another security feature is our Behavior Analysis System. This gives easier Captchas to legitimate users and progressively more secure Captchas to attackers.

NuCaptcha also employs captcha best practices to help ensure our Captchas are secure.

NuCaptcha uses patent-pending next generation animated Captcha technology. Testing has shown that animated Captcha puzzles are easier for humans to recognize and solve than static, scrambled Captcha images.

Compare the static images on the right, MEA and TEX, to the live NuCaptcha. These are actual screenshots of a NuCaptcha video stream. Notice that the animated NuCaptcha is much easier to read.

When the letters are moving your mind sees the different parts and fills in the blanks; the parts that are moving together are grouped together, and you can clearly differentiate the letters. Computers don't have this advantage and see a smear of pixels.

Video Streaming

We're often asked how NuCaptcha is displayed. One common assumption is that it is rendered in Adobe Flash.

NuCaptcha is displayed as an H.264 MPEG-4 Video Stream that is rendered in your browser in a variety of ways.

It's important to note that NuCaptcha is a video stream and not a Flash program. This is because it is not secure to create a Captcha in Flash.

The vast majority of visitors to your website are legitimate users. So why punish customers with a conventional Captcha that presents static garbled images that are difficult and frustrating to decipher?

The NuCaptcha Security Platform is different. It uses a behavior analysis system to monitor all interactions on the platform. It then uses this information to tune the security of each Captcha delivered to each user.

Legitimate users are given easy to solve Captchas, and attackers are given progressively more secure Captchas. This maximizes usability for legitimate users; eliminating frustration and increasing conversions on your website, while providing a high degree of security against attackers.

The examples to the right appear difficult to read as static images, but of course are still very easy to read for humans when they are animated.

Click the links below to see an example NuCaptcha at different security settings.

Sample 1 - Sample 2 - Sample 3

Easy to Use
 Secure
More Secure
 Very Secure

On the surface Captchas seem fairly easy to create. But there are many challenges in creating a secure Captcha system.

Below are some best practices for security features to be aware of when evaluating Captcha systems.

Warping Warping individual letters makes it difficult for OCR software to recognize them. A weaker option that some systems employ is to warp full images. This is easier for OCR to break, but is still a common practice.

Captcha systems that don't warp letters are so easy to break they shouldn't really be called a Captcha.
Clutter Clutter is adding content to the Captcha that makes it difficult for OCR software to differentiate and separate letters. Common techniques for adding clutter is to add "lines", or "cow spots".

While this common method is OK, a more secure method is to overlap the letters so that adjacent letters become the clutter. Overlapping letters enough to add security in a static image makes it very difficult to read which is why it is not often done.

NuCaptcha's innovation of animation enables us to use this more secure clutter method while making the Captchas even easier to read than less secure static image technology.
Security Code The security code is the answer that the user must type in to correctly solve the Captcha. The most secure method of doing this is to include random letters in the security code.

Some systems use English words. This is less secure as they become vulnerable to dictionary attacks. A dictionary attack uses solved letters to reduce the possibilities of what other letters can be. Longer words are more susceptible to dictionary attacks than shorter words.

The worst option possible is to use a common series of phrases without random letters. Each phrase is like one very long word making it extremely susceptible to a dictionary attack.
Random Puzzles Along with having a good security code it's important that Captcha puzzles are generated by an automated process. That is to say, the computer can generate an infinite variety of unique puzzles.

An attacker can create an inventory of puzzles for about $10 per thousand. Unless there are an infinite number of unique captchas the whole system is defeated.
Behavior Analysis A strong Captcha system must monitor what is going on in the system. This must be done so that the system can respond dynamically and adjust security settings according the current threat level.

The most secure option is to monitor and automatically adjust security settings on a per user basis.
Network Security All communications between the website and the Captcha system should be enciphered. If communiation is sent in plain text it's possible for a sophisticated attacker to intercept this communication and defeat the Captcha.

Other types of communication should also be protected. For example, Captchas content should not have a "unique identifier" that is used multiple times.
Multiple Fonts Using multiple fonts inside a Captcha message increases the complexity of training OCR software. Ideally multiple fonts will be used in a single Captcha puzzle.
All trade names, trademarks and logos are the property of their respective owners. NuCaptcha is a registered Canadian company. © 2011 NuCaptcha Inc.