Forget adding more draconian identity requirements. 95% of CAPTCHA use is simply unnecessary and could be straightforwardly removed or replaced with rate limiting login attempts per IP. Never mind sites that use it to prevent scraping. If serving static pages is that much of a burden that you want to discourage automated means of retrieving information that you're trying to publish, then work on your website performance instead of adding more user-hostile roadblocks.
Exactly. The vast majority of captcha usage is completely unnecessary. Just remove it. As you say I've even seen captchas for static content, which is pure nonsense.
I run several long-lived (decades) sites with mostly static content but also some dynamic pages and a commenting mechanism. Here's what I do to prevent abuse: nothing. It's fine.
If you run a massively popular site or something politically controversial then you'll be targeted for abuse. If you're specifically targeted, I don't know how much captchas will help.
For the rest of the 99.9% of sites, just stop it. You don't need it.
> could be straightforwardly removed or replaced with rate limiting login attempts per IP
This is very outdated intuition. Fresh IP addresses cost peanuts.
For example, your solution still allows an attacker to run a 50k item /login combolist against one of your users with $5 of botnet time, each IP address trying a single uname/pass combo.
Here you pay $18/GB to multiplex your abuse (cred stuffing being classic non-volumetric abuse example) across 72 million residential IP addresses. https://luminati.io/
50k attempts is tiny, like a 3 character password or a single account run through /usr/share/dict/words.
If you're worried about password with between other sites that have leaked, then the real answer is to generate something like a username for each user that they won't be able to share between sites. In fact with the prevalence of password managers, generating users' passwords for them might just be the better approach these days. And just fall back to email auth every time if they don't want to store it.
Duct taping your broken system by throwing up an annoyance for every user who doesn't want to be tracked is not the way.
Maybe there's a good solution somewhere there but the problem - as far as I can see - with this is that you either have a central party that knows who signed up for what or you have every account tied to a permanent super-identity. Both of which aren't great.
Webauthn may make it easy because it supports platform authenticators like Touch ID / Face ID. Two good demos are at http://webauthn.me/ and https://webauthn.io/
It's now supported in all major browsers but platform authenticators are likely not supported on all OS yet.
I'm not sure it will be as secure as captchas though. Browsers will probably allow dummy platform authenticators for ease of development, which can be used by bots as well.
Why can’t they do something like a reverse SSL where we have to authenticate ourselves as humans?
For example if I have an Apple account on my Apple devices, why can’t they figure out a way to authenticate me as a human from that information?
This doesn’t work for all scenarios (eg throwaway accounts), but it could work for the majority?