Gotta CAPTCHA 'Em All: A Survey of Twenty years of the Human-or-Computer Dilemma

A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [100]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, etc. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel and financial services. One of the most common defense mechanisms against bots abusing online services is the introduction of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), so it is extremely important to understand which CAPTCHA schemes have been designed and their actual effectiveness against the ever-evolving bots. To this end, this work provides an overview of the current state-of-the-art in the field of CAPTCHA schemes and defines a new classification that includes all the emerging schemes. In addition, for each identified CAPTCHA category, the most successful attack methods are summarized by also describing how CAPTCHA schemes evolved to resist bot attacks, and discussing the limitations of different CAPTCHA schemes from the security, usability and compatibility point of view. Finally, an assessment of the open issues, challenges, and opportunities for further study is provided, paving the road toward the design of the next-generation secure and user-friendly CAPTCHA schemes.