Liveness Checks as a CAPTCHA Replacement
Heya,
I was recently talking to someone who works for a vendor that does liveness checks on human beings, and they made an interesting point I wanted to explore further.
It’s pretty common to use liveness checks in online systems that need to verify who a user actually is: a bank, a test-taking service, etc.
In these cases, you can match someone’s face to a government document and confirm they aren’t holding up a photo or playing a video recording. This satisfies legal requirements similar to KYC. It gives you high confidence in a person’s real-world identity.
But there’s a whole other use case that doesn’t get as much attention: liveness checks as a replacement for CAPTCHA tests to prevent automated systems. In case you aren’t familiar with the acronym, CAPTCHA, it means Completely Automated Public Turing test to tell Computers and Humans Apart.
The original purpose of CAPTCHA was to prevent automated abuse of systems by software. But LLMs driving browsers are pretty good at figuring out CAPTCHA, and have been for a couple of years.
Liveness checks tie an account to a real, living human being. But unlike the first set of use cases we covered, in this case you don’t necessarily care who that human being is. You may not even want to have the liability of knowing that human is, for instance, Dan Moore. You just want to make sure it is a human and prevent abuse.
An additional benefit is that you may care about identifying repeated interactions with that human. That’s a use case liveness checks can offer that CAPTCHA cannot.
For example, consider a company offering a promotional free tier tied to a limited number of uses. They’ll want to prevent users from closing an account after usage is exhausted, and then immediately opening a new one to abuse the promo tier repeatedly. This is termed “promo fishing.”
This company wants users to have pseudonymity so it can deny abusers access, but doesn’t want the true identity of each user. You can capture pseudonymity with biometric deduplication, a feature of some liveness detection systems. Knowing the actual identity would require handling PII with additional care, which many companies prefer to avoid, especially for trial accounts. Liveness checks used in this way don’t defeat click farms or other abusers who have multiple humans they can use for these checks, unfortunately.
There is a spectrum of identity assurance, with increasing levels of both certainty and friction.
Web request: Could be a human, script, or bot, we have no idea.
Humanness only (CAPTCHA): Not a bot, but could be real user, LLM, or click farm employee.
Email verified (Email verification): A human or bot with a confirmed, reachable address. You are now in a chain of trust with the email provider.
Phone verified (SMS/OTP verification): A human with a confirmed, reachable number. You are now in a chain of trust with the telco system.
Pseudonymous humanness (Liveness check, no ID): A real, unique human. Could be a click farm employee.
Verified identity (Liveness and government document check): Who this person is. You’re now in a chain of trust with the government that issued the document.
CAPTCHA is near the top of the “just prove you’re human” list, just below an anonymous request. Full identity verification with government documents sits at the bottom.
Liveness checking without identity binding sits in the middle, along with the more common email and phone verification. It’s another way to try to understand who the user is, with a different set of user frustration and dollar tradeoffs.
Cheers,
Dan
PS Have you implemented liveness checks in any of your CIAM systems? I’d love to hear how it went.