Published on

Are You a Robot? - Five Ways to Challenge Suspicious Users

Imagine the scenario, you've sent a login off to LoginLlama which has told you it seems suspicious. What do you do next?

This post covers five different ways to challenge suspicious users.


For better or worse, CAPTCHAs are a common way to challenge suspicious users. You're probably familiar with the "Select all the squares with a traffic light" or "Click all the images with a bicycle" challenges. They're a simple way to check if a user is a human or a bot. But, not only are they frustrating for genuine users, they can also be bypassed. So whilst they're a good first line of defense, they're not foolproof.

Email Verification or Code

As a "second factor" of authentication, you can send a code to the customers email address. This is a good way to check that the user has access to the email address they've provided. And for the most part, this should be good enough proof that the customer is genuine. But, it creates a single point of failure. If the user has access to the email address, they can still be a bad actor.

SMS Verification

Similar to email verification, you can send a code to the customers phone number. Smartphone providers have also improved user experience for this flow, by automatically suggesting to input the code in the field on your website. But, it's less popular these days due to the rise of SIM swapping attacks.

Security Questions

Ah good old fashioned security questions. Before I explain what they are, can I ask what your mothers maiden name is please? Oh, and what was your first pets name? Security questions are a way to challenge a user by asking them to answer a question that only they should know. The theory is good. But unfortunately, people often inadvertently share the answers to these questions. Whether it be a picture of their beloved "Mittens" on Instagram, or a Facebook post about their mothers birthday. In recent years, they have fallen out of favour for these reasons. But, they can still be a good way to challenge a user, if the questions are well thought out and the answers are not easily guessable.

Cloudflare Turnstile

Cloudflare recently launched their new alternative to CAPTCHA - Turnstile. On first glance it sort of seems like black magic. They provide CAPTCHA like protection, without ever showing a challenge to the user. How does it work? Here is a quote from their documentation:

First, we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include, proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request and avoid ever showing a visual puzzle to a user.Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast.

In other words, they run a series of invisible "challenges" in the background to gather more information about the user. If they pass these challenges, they are allowed through. If they fail, they are shown a CAPTCHA.

This was an overview of five ways to challenge suspicious users. All have pros and cons. And none are foolproof. But, by using a combination of these methods, you can make your system much more secure and difficult for a bad actor to get through. It's similar to securing a house. An alarm does not prevent a break-in, but it makes it much more difficult for a burglar to get away with it. But an alarm, a deadbolt, and a large hungry german shepherd? That's a different story.