NetToolKit Shibboleth Beta

CAPTCHA service to identify bots

  • Delight your users, not the bots

    Innovative puzzles that are fun for your users, but are difficult for bots to solve

  • No more black box

    Review previous CAPTCHA challenges and attempts to determine whether the challenges are effective

  • Preserve user privacy

    Passing the CAPTCHA does not required user browsing history

Affordable: $10 for 100,000 requests (plus storage costs)

Sometimes you want to separate an “in” group from an “out” group... like maybe you only want human visitors to register and leave comments, and not software bots peddling shady medications. It’s not that you want to require users to know a secret passcode, you just want visitors to prove that they are human -- you want... a shibboleth (known in the industry as a CAPTCHA challenge).

CAPTCHAs of yore featured twisted text imposed on grids and dots. Second-generation CAPTCHAs made visitors digitize old newspaper clippings or build image recognition datasets for machine learning algorithms. The world has moved on, and those CAPTCHAs are just so yesteryear. The latest innovations in the world of CAPTCHAs generally involve exposing user actions on your websites, to be slurped up by technology firms.

NetToolKit has taken a different approach: offering a range of creative and fun puzzles. Users need not feel that they are laboring for the benefit of a faceless corporation, and software bots encounter a non-standard CAPTCHA. As the popularity of the service grows, the idea is to offer new types of CAPTCHA quickly enough that hackers find it not economical to write automated solutions.

Unlike other CAPTCHA providers, NetToolKit allows publishers to review challenges and users’ attempts. This review capability gives publishers insight into the effectiveness of the challenges and potentially identify issues. If a particular CAPTCHA type does not seem to be working (e.g. too hard for users), publishers can easily select a different one.

Website publishers can also customize CAPTCHAs for a better experience. For example, publishers can customize colors to match their site’s look and feel. Or, for the Split Image CAPTCHA, a movie-related site might use quotes from movies; likewise, a chess merchandiser might feature images of chess pieces.

In short, publishers and users can have better experiences, while bots are relegated to the “out” group.

Next-generation examples





Images of distorted text were popular online CAPTCHAs early on: they had the benefit of being difficult for computers to guess, easy for humans to solve, and easy to programmatically generate. As the text-based CAPTCHAs gained popularity, hackers developed more sophisticated character recognition software that could solve these CAPTCHAs. CAPTCHA writers responded by making the images more difficult to read (e.g. more distortions, adding lines to the background), and CAPTCHA-solving software further evolved. At some point, CAPTCHAs became distorted enough and CAPTCHA-solving software became sophisticated enough that text-based CAPTCHAs were easier for software to solve and hard for humans to solve. Along the way, people experimented with other ideas such as asking users to solve simple math expressions. It turns out that computers can solve those same math expressions pretty easily, while some humans had a more difficult time.

The next generation of CAPTCHAs involved harnessing user labor to accomplish some other goal. For example, the original reCAPTCHA (since acquired by Google) set out to digitize old newspapers. Google came out with a version that used user input to build a data set of human-label image tags. Some users have understandably been unhappy about being used for free labor. More recently, Google and other CAPTCHA providers have tried other mechanisms such as tracking mouse movements or information that might be associated with certain cookies. While these more sophisticated mechanisms can be less work on the user, they still rely on another CAPTCHA method to distinguish between users and bots (e.g. when a user opens a browser incognito).

CAPTCHA solvers have been evolving as well. Hackers have applied machine learning to help identify images. Going beyond that, an online search for “CAPTCHA” yields several listings for services that defeat CAPTCHAs, many of them employing humans (the irony!). At that point, CAPTCHAs have technically achieved their goals: separating human visitors from bots. However, the original intent of website owners remains defeated: aided by these services, bots can still leave spam comments.

Read more about Shibboleth

Human-aided Bot Operation

Ready to start building?

Get startedTry out Demo

Still have questions? Send us a message.