I left the page after about a minute of waiting on my phone. Making my users wait isn't a realistic solution, and bots have _far_ more CPU horsepower at their disposal than most smartphones, especially if they're operating from a botnet as many tend to do. Even if this did stop bots, it's also going to piss off real users, which is exactly what it appears to be designed to prevent.
If this is essentially a hashcash, what prevents them from swapping that out for a cryptominer after getting an established user base (if they aren’t already mining)?
On an Intel Celeron B820 @ 1.70Ghz laptop, it took more than 40 seconds to complete and consumed 1% of battery in the meantime. The "complex equations" you are doing will not work on low-horsepower devices like phones or low-to-medium level laptops.
I question the assertion that this is expensive for spammers. The whole premise is that a spammer would not consider this worth the cost, and do something else with the computing power instead. Why? It completely depends on what the captcha is being used for.
Honest I think this is worse than ReCaptcha. At least with ReCaptcha I know I am helping someone somewhere labelling their data and possibly used for autonomous driving.<p>With this captcha I feel like I'm just wasting world's energy on useless computations.
It's a hashcash:<p><a href="https://wehatecaptchas.com/load.php?name=captcha-worker.js" rel="nofollow">https://wehatecaptchas.com/load.php?name=captcha-worker.js</a><p>Proof of work is trivially parallelizable, and 2^(5*4)=1048576 options are super easy to go through for spammers.
I'm not sure how well this will actually work against a determined attacker. The browser challenge takes less time and money to automate than the already existing captcha solving services that use actual humans to enter the captchas.<p>Although I'd certainly prefer something like this being the default approach over hostile measures like Recaptcha v3, which just outright deny a subset of your users access.
Gave up after a full minute of waiting on a 2014 low-end phone. I thought the idea was to be LESS annoying than Google. This is a valiant effort, but it will drive away poor people while only incrementally impacting efficiency rates for bots.
Other idea: Something like Proof-of-Elapsed-Time.
A click on the verify button requests a token from the server. The server performs the action if the token is old enough.
-> No battery drain; equal waiting times for all users.
It's hard to build this to have a good user experience on a multitude of devices. Having human challenges like ReCaptcha has its own weeknesses, but the world is like one big GAN when it comes to this approach.
I don’t like being used, I’m already doing you a service by jumping through these hoops. Being asked to train your neural network or provide other computing resources is a perfect way for loosing me as a customer.
This is not a quick process, even for legitimate users. I am on a quite-capable computer, and it takes long enough that I am all but sure it will harm conversion rates.