Evaluate CAPTCHA options

[lampholder]

The details of the new guest experience for Riot are on the project plan: element-hq/riot-meta#59

To make starting to use Riot as painless and as rewarding as possible, we want people to be able to experience full access after only having chosen their username.

This risks exposing the platform to abuse - to avoid this, we (reluctantly) want to deploy a CAPTCHA. The right CAPTCHA is a balance between accessibility, privacy, effectiveness, UX, reliability, aesthetics and price.

The scope of this task is to evaluate the CAPTCHA options and recommend the most appropriate technical solution.

I've reviewed some of the options already here: https://docs.google.com/spreadsheets/d/1wD_8TF_k3BYMGhN6YQtPvfC8gxVi0RNOx1fF24RJb20 (screenshot below)

The two frontrunners so far are:

• https://www.phpcaptcha.org/try-securimage/ (typical wiggly word CAPTCHA; includes audio support)
• https://visualcaptcha.net/ (picture-based CAPTCHA; includes audio support - more attractive but potentially easier to circumvent with effort)

[ara4n]

i'll close #2759 as a dup of this one

[ara4n]

phpcaptcha looks cosmetically rather terrible, but visualcaptcha looks promising?

[tessgadwa]

I would definitely vote for option matrix-org/matrix-spec-proposals#2, visualcaptcha.net. Typical wiggly word CAPTCHAs have been crackable for almost a decade; but image based CAPTCHAs are considered safer. http://gracelandtower.com/2014/05/10/is-captcha-obsolete/ Also, I agree -- it looks better.

[lampholder]

VisualCaptcha certainly looks a whole lot better, and you're right is probably less vulnerable to off-the-shelf CAPTCHA crackers. I'd like to see a much larger image set (though that is something we can supply ourselves).

[lampholder]

We could implement something along the lines of this (immediately after the user's having chosen their desired mxid):