HUMAN Challenge

The HUMAN user-friendly and advanced Captcha solution

HUMAN Challenge is an alternative challenge to other CAPTCHA solutions, with enhanced capabilities to detect if a user is a bot or a human. It speeds up and streamlines the user's Captcha experience, protects against Captcha solvers, and collects data related to the solvers' actions. The nature of the challenge makes it difficult to solve through API calls, automation or Captcha farms.

HUMAN Challenge is a simple, no-hassle "press and hold" challenge

Why HUMAN Challenge

HUMAN Challenge provides insights and real-time data on the behavior of Captcha solvers. This data allows us to detect non-human CAPTCHA solvers and to provide a better user experience to real humans solving the challenge.

Other CAPTCHA solutions are often considered to be “black-box” (for example, Google reCaptcha’s iframe does not allow access to any events occurring inside it). With HUMAN Challenge we gain visibility to all the activities and events that occur on the Challenge page. HUMAN Challenge allows us to create honeypots, involve anti-solving techniques, and other features that have the ability to differentiate between humans and bots/CAPTCHA solvers.

Read more on CAPTCHA solvers

How do we identify if a challenge is being solved automatically by CAPTCHA solvers?

End-to-end visibility with Bot Defender: using Bot Defender capabilities, HUMAN Challenge detects automated tools, payload or token replays, including signatures collected by the ML algorithm that were classified as malicious. HUMAN Challenge uses Bot Defender's intelligence tools to scan the darknet/deep web to identify any CAPTCHA solving script/tool/service.
Using various honeypots such as fake CAPTCHA tokens, multiple iframes and fake events.
Tracking user interaction with the UI such as mouse, touch, and keyboard events.
Identifying injection of unwanted scripts, to detect if a script attempts to make use of the native methods provided by the DOM that are applied at the CAPTCHA environment.

How do we identify if a challenge is being solved by CAPTCHA solving services?

The HUMAN internal OSINT system is based on more than 800 different threat-intelligence databases and platforms. Our system harvests the data according to selected keywords and trends. For example, some Captcha solving services (e.g Death by Captcha), publicly release their updated scripts and our system scans these repositories. Every time the script is updated we get a notification and our team implements new detection (if needed) against that CAPTCHA solving service.
Multiple tokens are sent, of which only one is the real token.
We are able to detect and block callbacks that were made by headless browsers (e.g. selenium) from the CAPTCHA’s stack. Services such as “2captcha” are using this kind of mechanism.

These metrics are compared against dozens of customers from different industries and millions of solved challenges in the last three months. Ask for the product brief for more details!`

Deploy HUMAN Challenge

Prerequisites

Before you install the HUMAN Human Challenge on your site:

• Contact HUMAN on Slack, SFDC or at socsupport@humansecurity.com to request the Human Challenge.
• Make sure to let us know if you are using a custom Captcha flow (e.g using Captcha in a non-blocking page).
• It is recommended to use the First-Party Sensor integration. You can check this in the Console under Application -> Snippet

Testing

The following should be run on your stg environment

• Request for HUMAN to deploy Human Challenge on your stg application.
• Make sure to retain your user flow and desired page design.
• Optionally, test the available localization and customization options. Refer to the Customization and Configurations section section for more details.

In order to ensure that HUMAN Challenge was integrated correctly, it is recommended that the following test scenarios be executed on your stg environment. While the amount of test scenarios is small, there are some caveats to note in each one to ensure that it is indeed repeatable and possible to automate as well.

Test Scenarios

In each case mentioned below, the following scenarios should be tested:

Successful Attempt:

• Create a Challenge Bypass Token(this only needs to happen once and can be reused across multiple executions).
• To ensure the challenge is presented, add a User-Agent: HeadlessChrome header to the request.
• Render the page which has the challenge embedded (e.g. the built-in block page, a customized block page or a challenge rendered via Advanced Blocking Response (ABR).
• After the challenge is rendered, add an x-px-captcha-testing: header to the request with the bypass token generated in step (a).
• Solve the challenge by clicking / tapping on it until the bar is full and then release it.
• Observe that you can continue with the process the challenge was displayed for (e.g. login).

Failed Attempt:

• To ensure the challenge is presented, add a User-Agent: HeadlessChrome header to the request.
• Render the page which has the challenge embedded (e.g. the built-in block page, a customized block page or a challenge rendered via Advanced Blocking Response (ABR).
• Solve the challenge by clicking / tapping on it until the bar is full and then release it.
• Observe that you got another challenge.

We recommend that, at a minimum, the following setups be tested in this manner to ensure that the integration was done correctly:

• Web - browser based.
• Mobile - browser based.
• Mobile SDK - iOS (if relevant).
• Mobile SDK - Android (if relevant).

See the FAQ section below for further Q&A and Troubleshooting details.

Production

When you are satisfied with the results of your Testing, deploy HUMAN Challenge on Production.

• Request for HUMAN to deploy Human Challenge on your prod application.
• Make sure to retain your user flow and desired page design.
• If you are using custom localization or customization, make sure that it is included in your production environment.

Compatibility

HUMAN Human Challenge supports the following:

Web

• Chrome ≥67
• Safari ≥9
• FF ≥60
• IE ≥10
• Edge ≥15
• Android ≥5
• Opera ≥55 (including mini≥16)
• Yandex ≥16
• UC ≥9

Mobile

• ≥iPhone 5S
• ≥iPad 4
• ≥Nexus 5
• ≥Pixel 1
• ≥Galaxy S7
• ≥Galaxy Note 9
• ≥Xperia XA

On browsers that are not supported the user will get the message There seems to be a problem with your browser. Please upgrade to load HUMAN Human Challenge

When the user is experiencing a network problem, they will receive the message There seems to be a connection issue. Please make sure you're online and then refresh the page

When the Human Challenge is solved, but there is no internet connection, the callback window._pxOnOfflineCallback occurs.

Accessibility and Enhanced Accessibility Mode

The Human Challenge is available in a default version with accessible features as well as an "Enhanced Accessibility Mode" version. Both versions are ARIA compatible, and provide the following capabilities:

• Text coded into the images
• Proper prompting text ("press and hold")
• Enabled keyboard access to elements on the page

The “Enhanced Accessibility Mode” is designed to provide a better experience to individuals with disabilities. It is WCAG 2.2 certified and conforms with a VPAT 2.4 report. It is aimed to provide an inclusive accessible experience to a wider range of people with disabilities, including accommodations for blindness and low vision, deafness and hearing loss, limited movement, speech disabilities, photosensitivity, and combinations of these, and some accommodation for learning disabilities and cognitive limitations. The latest version includes customizable text-to-speech using ARIA elements.

Customization and Configuration

For further information about Human Challenge and context customizations and configurations see here.

FAQ

Who do I contact to get a detailed explanation on HUMAN Challenge?

You can contact your HUMAN CSE or SA, send us a Slack, or send us an email atsocsupport@humansecurity.com.

How do I customize HUMAN Challenge?

You can customize the Human Challenge and give it the same look and feel as your website. Within the Customizing_ you can customize the background color, text, font, animation, etc.

How do I localize the HUMAN Challenge?

We offer 27 language/locale options out-of-the-box. Additionally, you can add a locale not included in the Human Challenge package. In the Customizing_, simply add the localization code to the locale object and enter the translated text to the text line of the translation object.

Does HUMAN Challenge support accessibility?

Human Challenge is ARIA compatible by default, and provides text coded into images, proper prompting text, and keyboard access to elements on the page. Human Challenge is also available in enhanced accessibility mode. Please reach out to HUMAN CSE or SA, send us a Slack, or send us an email atsocsupport@humansecurity.com for further assistance.

Q&A and Troubleshooting

My development and testing process does not allow me to manipulate headers, how can I test this flow?
If you are unable to use the header manipulation flow mentioned above, we recommend you use the mobile verification flow and our VID extraction tool. Keep in mind that this flow can not be automated and is only applicable for manual testing.

I waited for the bar to fill, released the press and the challenge UI is now stuck, not continuing with the process or showing an animation endlessly. What is blocking it from moving forward?
In the case of ABR, you will need to override the window._pxOnCaptchaSuccess function and handle both the successful and failed results to trigger the correct step in your code.

I waited for the bar to fill, released the press and got another challenge to solve, what am I doing wrong?
Make sure that you added the Captcha Bypass Token before solving the challenge. This will ensure that our system ignores all detections and allows the challenge to be solved.

I managed to get the integration to work via web and browser, but the mobile integration keeps showing me challenges, what could be the cause?
In the case of the mobile SDK, the correct function to override in customized pages is _pxOnMobileCaptchaSuccess, as can be seen in the documentation here. Make sure that you properly implement this function and retest.

I keep getting challenges when testing through a mobile emulator as a part of my development process, how can I bypass this?
Some of our detections block emulator based solves. To make sure these pass successfully, x-px-captcha-testing header to the request.

While using Chrome’s DevTool emulator I am forced to solve the challenge repeatedly?
Unfortunately, Chrome’s DevTool emulator does not behave 100% like a mobile device and is not recommended for testing of HUMAN Challenge.

No matter what I do I pass the challenge, is it not working as expected?
Make sure that the User-Agent: HeadlessChrome header is a part of the request, and that the x-px-captcha-testing is not. If you solved the challenge in the last few minutes, be sure to clear your cookies and add a random string to the User-Agent header (e.g. User-Agent: HeadlessChrome-1) or wait 5-10 minutes for the challenge solve to expire.
If none of the answers above helps solve the issue you are experiencing, please contact us on our shared slack channel and our team will be happy to provide additional assistance.