You're right that it won't stop determined attackers, there was some prior discussion here [1]. The idea is that it's good enough - while not punishing your users as much.
The difficulty can be scaled in a predictable way - it's similar to rate limiting but less all or nothing. We're about to release automatic difficulty scaling per IP, so if many CAPTCHAs are requested/submitted from a single IP the difficulty increases exponentially. Also being able to set the initial difficulty for your usecase and audience is something that should help.
Aside from that there's some more measures on the roadmap: using lists of known-to-be-datacenter IPs, and reputation lists such as [2], as hints to increase the difficulty.
But you're right - it will still be affordable to attack any CAPTCHA, FriendlyCaptcha is no exception. Proof of work approaches have downsides too.
The main ideas behind FriendlyCaptcha vs ReCAPTCHA:
* The user experience is superior. It can happen in the background while the user is doing something else. There is no labeling task.
* We don't have any incentive to collect user data or track users (GDPR compliant, no tracking cookies etc)
* It's as easy to add as ReCAPTCHA to your website. The API is a near copy of ReCAPTCHA's API. You can host the JS code yourself, or even bundle it. With recaptcha it must be third party.
* It works in any browser less than 8 years old (IE>=11), although of course it's much slower in old browsers that don't support WebAssembly.
* It doesn't have inherent accessibility problems (poor eyesight/hearing doesn't matter).
* Open source at its core [3], the SaaS wrapper is not open source.
The difficulty can be scaled in a predictable way - it's similar to rate limiting but less all or nothing. We're about to release automatic difficulty scaling per IP, so if many CAPTCHAs are requested/submitted from a single IP the difficulty increases exponentially. Also being able to set the initial difficulty for your usecase and audience is something that should help.
Aside from that there's some more measures on the roadmap: using lists of known-to-be-datacenter IPs, and reputation lists such as [2], as hints to increase the difficulty.
But you're right - it will still be affordable to attack any CAPTCHA, FriendlyCaptcha is no exception. Proof of work approaches have downsides too.
The main ideas behind FriendlyCaptcha vs ReCAPTCHA:
* The user experience is superior. It can happen in the background while the user is doing something else. There is no labeling task.
* We don't have any incentive to collect user data or track users (GDPR compliant, no tracking cookies etc)
* It's as easy to add as ReCAPTCHA to your website. The API is a near copy of ReCAPTCHA's API. You can host the JS code yourself, or even bundle it. With recaptcha it must be third party.
* It works in any browser less than 8 years old (IE>=11), although of course it's much slower in old browsers that don't support WebAssembly.
* It doesn't have inherent accessibility problems (poor eyesight/hearing doesn't matter).
* Open source at its core [3], the SaaS wrapper is not open source.
[1]: https://news.ycombinator.com/item?id=24921288 [2]: https://www.stopforumspam.com/ [3]: https://github.com/friendlycaptcha/