A few years ago I was given a technical deep dive into Akamai’s bot detection systems. One area they were quite focused on were bots impersonating mobile devices, and in particular mobile apps. It’s commonplace for attackers to try to mimic the behavior of mobile apps because it often provides more direct access to the data they’re looking for than trying to scrape websites.
To counter this threat Akamai developed a library for their customers to incorporate into their apps. This library collects a bunch of haptic data from the mobile device, such as the tilt sensors, accelerometers, finger taps/swipes on the screen, and other available data. It then encrypts it and sends it along to Akamai along with the data the app sends. Akamai then analyzes that haptic data and uses it as part of their bot detection analysis.
It is VERY difficult for a computer to mimic the truly random way a mobile device moves in space, or the way your fingers tap/swipe on a screen. If you were asked to draw a straight line from the upper left corner to the bottom right corner of your smartphone, not only would it not be perfectly straight but it would be quite fluid in its randomness. Writing a computer program to simulate that would be very tough. You’re far more likely to get lots of short straight lines with jagged angles than something that looks like a human drew it. And computer algorithms can quickly analyze this sort of data and return a confidence score indicating if it appears to have been created artificially or not.
So my guess is that when that QR code is scanned it will launch a Google app that will collect some similar haptic data and send it off to Google along with a unique id for that captcha. Google will then quickly analyze that haptic data to determine if you’re a bot or not.
Ohh, I’ve never thought about phone authentication being superior due the amount of sensors it has. Thanks for explaining, it makes a lot of sense (and I hate it)
A few years ago I was given a technical deep dive into Akamai’s bot detection systems. One area they were quite focused on were bots impersonating mobile devices, and in particular mobile apps. It’s commonplace for attackers to try to mimic the behavior of mobile apps because it often provides more direct access to the data they’re looking for than trying to scrape websites.
To counter this threat Akamai developed a library for their customers to incorporate into their apps. This library collects a bunch of haptic data from the mobile device, such as the tilt sensors, accelerometers, finger taps/swipes on the screen, and other available data. It then encrypts it and sends it along to Akamai along with the data the app sends. Akamai then analyzes that haptic data and uses it as part of their bot detection analysis.
It is VERY difficult for a computer to mimic the truly random way a mobile device moves in space, or the way your fingers tap/swipe on a screen. If you were asked to draw a straight line from the upper left corner to the bottom right corner of your smartphone, not only would it not be perfectly straight but it would be quite fluid in its randomness. Writing a computer program to simulate that would be very tough. You’re far more likely to get lots of short straight lines with jagged angles than something that looks like a human drew it. And computer algorithms can quickly analyze this sort of data and return a confidence score indicating if it appears to have been created artificially or not.
So my guess is that when that QR code is scanned it will launch a Google app that will collect some similar haptic data and send it off to Google along with a unique id for that captcha. Google will then quickly analyze that haptic data to determine if you’re a bot or not.
Ohh, I’ve never thought about phone authentication being superior due the amount of sensors it has. Thanks for explaining, it makes a lot of sense (and I hate it)