Artificial intelligence can now solve Google’s reCAPTCHAv2 with 100% accuracy, according to new research, possibly rendering a critical online security measure obsolete and forcing eCommerce platforms to rethink user authentication.
Scientists at ETH Zurich developed the AI system, surpassing previous methods that solved only 68% to 71% of CAPTCHAs. The research revealed that reCAPTCHAv2 relies heavily on user cookies and browser history data, suggesting AI systems can exploit these vulnerabilities.
“Bluntly, this paper shows that we are now officially in the age beyond CAPTCHAs,” the authors of the research wrote, raising concerns about the security of image-based CAPTCHAs and their effectiveness.
CAPTCHAs have served as a first line of defense against automated website attacks for years. However, experts say their effectiveness has been waning, and this latest breakthrough may signal the end of their usefulness.
“CAPTCHAs are cheap, and that’s part of the problem,” Wink founder and CEO Deepak Jain told PYMNTS. “When users encounter a CAPTCHA, it can give the impression of a low-cost product or a brand that doesn’t prioritize security — more of a ‘Protected by’ security sign on your lawn without an actual security system in place.”
The apparent cost-effectiveness of CAPTCHAs may be deceptive. Jain said they can harm businesses by lowering the perceived quality of a brand’s security. Industry leaders have already moved away from this technology.
“Sophisticated companies like Apple and Amazon don’t use CAPTCHAs because they’re outdated and ineffective against modern AI bots,” he said.
Some experts take an even stronger stance against CAPTCHAs.
“CAPTCHAs need to go away and never be spoken about again,” Analog Informatics founder and President Philip Lieberman told PYMNTS. “They make users crazy, are easy to defeat, and create security theater for those who believe they work.”
There is irony in the evolution of CAPTCHA technology, he said.
“As vendors have made the technology harder for AI to figure out, it has become nearly impossible for humans to complete the challenges,” Lieberman said.
The breakthrough in AI-powered CAPTCHA solving raises more general concerns about online security.
“When AI breaks through this defense system, malicious actors can more easily automate attacks, getting access to potentially sensitive information,” Huntress Vice President of Product Marketing Seth Geftic told PYMNTS. “This means that customer data will become more vulnerable, making businesses that use CAPTCHAs as their primary line of defense more susceptible to risk.”
Companies in the eCommerce industry now face difficult choices in upgrading their security measures.
“ECommerce companies need to adopt more sophisticated solutions if they only rely on CAPTCHA,” Geftic said. “This might involve looking to things like behavioral analytics or advanced multifactor authentication, which would all require an investment in new technology. Unfortunately, getting more secure will often mean spending more money, and these costs can add up. Depending on the business structure, these increased costs might be passed onto customers, making it more difficult for businesses to stay competitive.”
Jain advocated for “stronger, modern solutions like multifactor biometric authentication and liveness detection, which verify that users are not only human but the right human, in real time.”
“Yes, things like biometric authentication and device verification require some investment in new infrastructure, but they also reduce ongoing costs,” he said. “You’ll have fewer customer support tickets related to login issues, lower fraud management expenses, and less risk of data breaches.”
Lieberman agreed.
“Using MFA technology to prove one’s identity and contact method is the standard today to slow down attackers and gain some confidence in visitors’ identities,” he said.
Experts warn that more complex authentication processes could frustrate customers and increase cart abandonment rates.
“It’s a delicate balance between security and convenience — and the advancement in AI will only make this more difficult,” Geftic said. “With CAPTCHAs becoming less effective, businesses will need to introduce more complex authentication processes, which, while they might be more secure, might also make the purchasing process more lengthy or difficult.”
User frustration with current CAPTCHA systems is already evident.
“I find myself failing the challenges regularly because they require me to understand if a pixel of a picture belongs in one box or another,” Lieberman said. “As a result, I go out of my way to not visit sites that use them.”
Experts envision a more seamless and secure authentication process across various platforms in the future. Jain said he sees upcoming security as device-agnostic, “meaning it works across various platforms — whether logging in from a car, using a VR headset, or verifying identity at an airport.”
This approach could lead to improved user experiences while maintaining high security standards, potentially addressing the dual challenges of AI-cracked CAPTCHAs and user frustration with current security measures.
The challenge lies in balancing robust security with user-friendly experiences, which could require investment and technological innovation.
“Before making the plunge, weigh the priorities for your business and your business model,” Geftic said.
For all PYMNTS AI coverage, subscribe to the daily AI Newsletter.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More