Un interessante articolo da hCAPTCHA, sostiene che tutti gli strumenti hardware e in generale "passivi" sono intrinsecamente insicuri.
Saluti
Why CAPTCHAs Will Be With Us Always
Why CAPTCHAs Will Be With Us Always
hCaptcha - May 13, 2021
::::
What about hardware attestation?
Various methods of linking identity to a device in a cryptographically secure fashion, sometimes with privacy-preserving properties, have been proposed for decades.
Public key cryptography dates back to c. 1975, and hardware tokens have existed nearly as long.
Unfortunately, controlling a piece of hardware does not mean you are a person.
Virtually every popular consumer hardware attestation scheme has been repeatedly broken, patched, and then broken again.
Malicious abuse of these flaws is often discovered to have been occurring for months or years prior to disclosure or academic publication.
No matter how reliable your cryptographic scheme, if someone can at the end of the day simply spend money to give you the answer you are looking for, owning a piece of hardware is insufficient.
That said, cryptography is quite a young discipline.
Based on recent history, your cryptographic scheme and/or implementation is likely to be broken as soon as anyone has an incentive to look at it closely, and it is likely other people will figure this out long before you do.
Relying on hardware also means you may need to ask every single one of your users to change a physical device in order to patch the flaw.
This is unlikely to happen quickly in most cases, meaning in reality your system will simply fail open.
This is why defense is depth is important: hCaptcha uses multiple different approaches to answer the same fundamental question, allowing comparison for consistency across all evaluations.
What about passive or no-challenge solutions?
Services that attempt to do bot detection with purely passive signals rapidly run into a fundamental issue: how do you validate whether a system detects bad actors correctly when you don't have accurate ground truth?
The open internet is a very noisy environment.
Bad actors attack users of our service and competitors like reCAPTCHA every day, and are of course attempting to look as human as possible while doing so.
Purely passive services struggle to maintain bot detection accuracy, or even to know when they are inaccurate.
Without the ability to occasionally challenge users and correctly analyze the results of that challenge, accuracy tends to decline greatly over time.