Adobe, OpenAI, and Microsoft are among companies that use Arkose Labs’s technology.
It’s a scenario familiar to internet users: You’re trying to log into a website, and you’re hit with a security challenge. Type this string of wavy letters and numbers. Pick the photos that depict traffic lights. Slide the puzzle piece from point A to point B.
These CAPTCHA challenges, short for “Completely Automated Public Turing test to tell Computers and Humans Apart,” are foundational to making sure that bots don’t take over human-operated accounts and bombard internet systems with spam activity.
While they serve an important function, they can also be annoying: It’s widely recognized that the puzzles are becoming harder to solve. The frustration compounds for users with visual impairments, which can render image- and text-based puzzles nearly impossible to solve.
Tech Brew recently spoke with Arkose Labs CFO Frank Teruel about how the software company is trying to solve both issues at once, maximizing security with a variety of CAPTCHA puzzles that are hard for bots but easy for humans of all skill levels. This conversation has been lightly edited for length and clarity.
Let’s start by talking about the purpose of the CAPTCHA challenges we encounter in everyday web browsing. What do you hope to accomplish with them?
Arkose is in the business of providing consumers security and safety as they transact the digital economy. We do that by eliminating and stopping malicious bots from either opening accounts, or taking over accounts.
You might sign up for a new website, a new application, or you come back to log into your account. Whether that’s banking, Roblox, OpenAI, or a Microsoft account, we…cater to very large global enterprises. [Expedia and Airbnb are also clients].
Ultimately, online, there’s two questions we have to answer: Is Frank really Frank? And is Frank behaving normally in the context of this transaction?
I understand how it could be frustrating or confusing if you don’t have the capability to answer some of CAPTCHA prompts at all. Could you tell me more about where the accessibility piece comes into solving some of these challenges?
The tension we all face online is user experience versus security. I can crank up the dial so far that no one can get in. But that doesn’t work out.
We try to make the cost of intrusion extremely expensive for bots. So we try to design challenges and mitigants where a computer can’t figure them out easily, and it requires more computing time, more code. And even with generative AI, that requires a larger amount of GPU and CPU processing, which makes it expensive…We’re proud to be WCAG 2.2 AA compliant…We have artists and musicians that work for us [and] design those challenges. So if you’re using any kind of screen reader or Braille display, or any kind of device to assist you, we’ve designed those challenges to be easily interpreted by those technologies…No matter who you are, whether you have full ability for access, whether you have some introductory or intermediary technology for access, ultimately, we want to ensure that people [can] live that balance of security versus user experience.
Can you walk me through what the accessibility standards require you to do versus how maybe you meet those standards and go above and beyond?
The accessibility ensures that whoever’s on the back end of that challenge, if they’re a legitimate customer, can navigate through that challenge in a way that’s not frustrating and that they can do it in a way that still protects account security.
You don’t want to create a situation where someone who doesn’t have the same accessibility…isn’t compromised as they transact in the digital economy because they haven’t got the tools for access.
You mentioned that Arkose is WCAG 2.2 compliant, the industry standard for ensuring web content is accessible to users with disabilities, including visual, auditory, physical, and speech disabilities. How do you build accessibility into the design of CAPTCHA challenges? Are we mostly talking about visual accessibility—for people who have limited eyesight?
Whereas in most of these kinds of challenges, it’s just, like, “Hey, find the traffic light,” or “find the bicycle,” we require interaction with the images…Those interactions can be done through audible technologies, as well as screen readers. So that’s what makes it really much more accessible for people that are under the WCAG category.
There’s also audio components to it, where you have a speaker speaking with no background noise and clearly, versus [other clips with] all this mishmash. We’re simply saying, “Hey, which one’s the only one with one person speaking?” Or…“which one has drums in it?” So it creates this really interesting opportunity for people to have that same security and same kind of experience and protection and accessibility without having to jump through hoops.
What’s next on the horizon for CAPTCHA technology?
We’re all grappling with generative AI. What does it mean? What happens when machines train machines to come after your business, versus the old days where software engineers had to write code and stick it into the bots, and then the bots could take it and run with it…The adversaries are always on the bleeding edge of adopting technology, because they use that technology…to get around security protocols. We have to be in a situation where we’re constantly innovating, so even though it costs money for these things to learn the puzzles, [and] it’s more rigorous than other solutions, machines eventually get smart enough to train machines…
It’s staying ahead of the machines by not allowing the machines to train machines to attack you by constantly changing, not allowing a predictive nature to it…It really is understanding how the adversary is changing and then leapfrogging them.
