Humanity and identity
To begin with, remenber that JCAPTCHA deals with humanity, not identity.
Humanity is a brand new notion, since only identity assertion is taken into account by common security systems.
Identity of an actor is specified by a persistant identifier, known by both the target system and the actor.
Saying of an actor that it is identified means that :
- this actor has declared an identity and
- the system asserted that this actor is actualy the owner of this unique identity
Exemple of identifiers and associated identity assertion provider :
- login, login/password checking
- email, send a secret to email challenge
- credit card number, bank credit card validation service
- Certificat, trusted third party referred to as a certification authority (CA)
Most of current on line systems already deals with identity.
Humanity of an actor is not curently technologicaly specified, and there is no common way to handle it.
Saying that an actor is human means that
- the actor has proven some human specific capabilities to the system
Those capabilities could be classified into two main categories
- intelligence capabilities : see the Turing test history to understand what intelligence is and is not.
- sensorial capabilities : a "full featured human" is able to see images, to ear, to touch ect...
Most automated humanity assertion system check both capabilities.
Exemple of human capabilities and associated humanity assertion provider :
- a human can read a deformed text, gimpy captcha
- a human can answer written questions, turing test
- a human can recognize a 3D environement on a 2D image, 3D captcha
Use cases using JCAPTCHA, a humanity assertion provider
Once you have a humanity assertion mecanism, also known as weak authentication mecanism, one may use it to restrict access to services, this is the authorization.
Access allowed only to human
This is a standard way to protect online services that shall not be read by machine, for commercial or legal reasons.
- commercial reasons
There is many web sites on the WWW that provide a free service for their anonymous customers.
Those sites may want to check if you are a real customer, or only a replication bot that stole the service and use it for its own profit (think of price comparaison sites). See also this excellent anticipation trailer : http://www.broom.org/epic/.
- Legal reasons
This is the historical reason for JCAPTCHA to exist. Most public democratic state services should be anonymously accessible, but should be protected against automatic replication.
Access allowed only to human under certain conditions
This is a weaker protection than the mentioned above : the system check that an actor is human only if after it has done specific actions.
Exemple : the system check humanity of a user only if it ask the same page more than 2 times.
This kind of use of JCAPTCHA is done to protect system against proxy machines (that re-sell a service).
This is the most common use case, implemented for exemple by all major free mail provider.
They use a captcha (type gimpy)to prevent massive machine registration.
Protecting user/password is also a common use case : protecting a login form with a captcha limits risks of a dictionnary attack.