Explain how it works

[php4fan]

I'm looking at the documentation at https://docs.friendlycaptcha.com/ and, before I try it out, I wanted to understand how it works.

The only explanation I found is - wait, now I can't even find it anymore - oh, here it is:

Friendly Captcha generates a unique crypto puzzle for each user’s device. As soon as the user starts to fill in a protected form, it will be solved automatically. Solving it will usually take a few seconds. By the time the user is ready to submit, the puzzle is probably already solved.

That explains nothing, that's just using the "crypto" buzzword to make it sound like magic.

How does solving a crypto puzzle help verifying that the user is human? Why can't a bot solve the crypto puzzle the same way as the user's browser does? What stops the piece of code that runs on the client side that solves the crypto puzzle from running on a bot's javascript engine?

[merlinfuchs]

Hi, thanks for reaching out!

You can find a technical explanation of how the puzzles work here: https://github.com/FriendlyCaptcha/friendly-pow

You are right that these puzzles alone don't stop bots but are a way to slow them down. To make it harder for bots we scale the puzzle difficulty based on a number of risk signals that take many factors into account. This way users will usually be able to pass the puzzle in a few seconds while bots will need a lot more time and resources.

[php4fan]

So basically all the puzzle does is make sure a certain amount of time has to pass. It has no role whatsoever in distinguishing humans from bots (because both will run javascript and eventually solve the puzzle). Other factors distinguish humans from bots and give easier (i.e. faster) puzzles to supoosed humans, and harder (i.e. slower) puzzles to supposed bots. Am I correct?

So what one really wants to know to decide whether the library is worth using, is how you distinguish bots from humans in the first place.