rtCaptcha

Abstract

More organizations are turning to facial and voice recognition, or other biometric identifiers, to authenticate users and grant access to their systems. In particular, some services (e.g. Mastercard Identity Check) allow users to authenticate themselves by simply showing their face in front of their phone's camera, or simply speaking into the phone. Unfortunately, it's been shown that this can be easily forged in real time to defeat such authentication systems. This project introduces "Real Time Captcha (rtCaptcha)," a new, practical approach that places a formidable computation burden before adversaries by leveraging the proven security infrastructure of CAPTCHAs. In particular, rtCaptcha authenticates a user by taking a live video/audio recording of the user whiel also solving a CAPTCHA challenge question. This is in sharp contrast to simpler detection systems that only ask the user to blink, smile, or nod. Our user study showed that -- thanks to the humans' speed of solving random CAPTCHA challenges -- adversaries will have to appear and sound like the intended victim and solve the same challenge in less than 2 seconds in order to trick an authentication system. This is not possible by today's best machine-based or human attackers.