A few days ago I wrote about an artificial intelligence startup, Vicarious, which demonstrated software that breaks the widely used - and much disliked by users - CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to prevent software run by the bad guys from automating the creation of, and hacking into, accounts on Web sites.
The reason CAPTCHA is disliked by users is that it's become hard even for humans to pass the test; the distorted images employed have become so difficult to read most people have a significant trouble decoding the text and, as a consequence, often give up when creating accounts and using services.
A new company, Keypic, may have the answer to these problems by doing away with CAPTCHA altogether and replacing it with their own eponymously named verification system. In fact Keypic can not only rate how human a user is but can also detect spam submitted as comments.
Keypic works by presenting whatever form you please along with an image. The image can be as minimal as a single transparent pixel or it can be a logo or even an advertising banner . The purpose of the image is to ensure that it's retrieved (most hackers' automation won't bother with graphical elements, they'll usually just retrieve the form, fill it and then submit it).
Whether the image is retrieved is just one of the ten or so data points Keypic checks. Other data points include how long it takes for the form to be submitted (which reveals software that tries to submit at a high rate), what order are the fields filled in, what the IP address is, what browser is being used, how many requests are received per minute from a single IP address, and the characteristics of any text entered into fields other than name and password.
The data points are analyzed by comparing them to Keypic's database of thousands of other form submissions and a score calculated as to how fake the submission is considered to be. You can then decide based on that score whether to accept and act on the form data or reject the submission.
For a program to get past Keypic would require that it behave in a very human way taking enough time to respond, downloading all page content, limiting the submission rate from any single IP address, and so on. To defeat this range of tests would require some pretty creative coding and that's the key to detecting non-human interactions.
The client-side of Keypic is free and open source while the backend that actually determines the score is proprietary and closed source. Keypic is currently available as a plugin for WordPress, Drupal, Joomla, and TYPO3 as well as a REST Web service, a PHP Class, an for ASP and ASP.NET.
My only reservation about Keypic is that although the company is based in the US (in Walnut, CA, in Silicon Valley) their Web site is a horrible mess of poor design, misspellings, weak explanations, and broken links.
So, is Keypic more effective than CAPTCHA? That all depends on what you value. If you believe that you're losing traffic and users because CAPTCHA tests put them off then there's a very good reason to use Keypic. As of writing over 5,800 sites are using the system and over 113.5 million spam messages have been blocked without CAPTCHAs.
On the other hand if you are adamant that you can't tolerate any non-humans at all accessing your site you might want to stick with CAPTCHA ... remembering, of course, that the test has been shown to be broken at a level that will eventually (and, in fact, sooner rather than later) render it useless. I think my money is on Keypic.