MTCaptcha FAQ 



Does MTCaptcha Support Invisible Captcha  

scatter2.png

Yes, MTCaptcha supports invisible captcha (NoCaptcha Captcha).

Research has shown that captcha increases friction, adding on average 10 seconds to online transactions and turn aways.

Our captcha service uses Adaptive Complexity backed by an advanced risk algo to lower user frustration for real users and substantially lowers bounce rate.

MTCaptcha also supports completely Invisible Captcha (noCaptcha), resulting in zero friction to 95% - 99% of all users (numbers from blended customer usage analytics).

We currently support 2 types of invisible captcha

  • Low Friction Invisible Captcha

    Where the captcha is completely invisible for most users and only shown when some level of risk is detected by MTCaptcha’s adaptive Risk Engine. This significantly lowers the friction for real users resulting in more successful transactions while making it hard on bots.

    The Adaptive Risk Engine continuously monitors the network environment and usage patterns to adjust sensitivity and risk scores.

  • IP White List Invisible Captcha

    Where the captcha is completely invisible for users coming from internet IP addresses matching a defined IP white list.

See Developers Guide - Invisible Captcha for more details on how to enable and configure this.

What is Proof of Work on MTCaptcha

MTCaptcha supports ‘Adaptive Proof of Work’ as part of the build in captcha capability, so what does that mean?

Proof of Work is basically a ‘large effort of computation’, commonly used to deter high volume automated attacks. It helps even the playing field between attacker and defender where traditionally its substantially cheaper to attack than defend. With Proof of Work attacks are :

  • More Complicated and difficult to setup (need to run virtual browsers and complicated scripts)

  • More Expensive (require much more compute power and servers)

  • Significantly Slower, where MTCaptcha’s proof-of-work also includes a time-delay/time-lock aspect.

Adaptive Proof of Work

Of course having your browser pause for seconds to execute a proof of work every time can be annoying, so just as we have risk based adaptive complexity for the captcha image, we also added adaptive complexity to our Proof of Work. This means for almost all real users the proof of work is completely undetectable taking less than 100 milliseconds, and only escalate in difficulty and time-delay for specific networks or regions where the Adaptive Risk Engine perceives higher risk.

Best Protection Against

The proof of work is best for protecting against API level brute force or denial attacks, such as

  • Brute Force Password Attacks

  • Brute Force Key or ID Attacks

Note: Proof of Work it is a logical layer check, and can not protect against network layer denial of service attacks such has TCP SYN Flood or TCP Split Handshake attacks which will require network layer infrastructure to mitigate. If you have any questions or uncertain the type of attack you are under feel free to reach out to us via our contact page.

Also see Wikipedia: Proof of Work

Does MTCaptcha Work in China

MTCaptcha-ChinaPerformance.png

Yes, the captcha works in China.

Dedicated servers, routing and monitoring are in place to insure MTCaptcha captcha service is consistently delivered in mainland China at high speeds.

How do I run automated tests with MTCaptcha

mtcaptcha-auto-test-screenshot.png

MTCaptcha supports automated browser UI/UX testing via tools like Selenium, without having to disable the captcha plugin.

There are two methods to enable automation test scripts to consistently solve the captcha:

Method 1:

  • Call javascript function mtcaptcha.enableTestMode with the TestKey, once the MTCaptcha plugin is loaded. eg:

       mtcaptcha.enableTestMode(“<TestKey>”); 
  • Than enter the text string ‘11111111’ into the captcha text form

    (entering any other string eg ‘22222222’ will result in verification failure)


Method 2:

  • Set the TestKey within MTCaptcha’s javascript initialization config object, before importing/loading the MTCaptcha plugin, eg

       var mtcaptchaConfig = {
             “sitekey”:           “<SiteKey>”,
             “enableTestMode” :   “<TestKey>”
       };
  • Enter the text string ‘11111111’ into the captcha text form

    (entering any other string eg ‘22222222’ will result in verification failure)


The TestKey for each site can be found in the Admin Portal along with the SiteKey and PrivateKey. Usually with the prefix ‘MTPrivQA-’. This key should be kept secrete.

The captcha plugin will generate a Verified Token once solved via a TestKey, the same as if a user solved the captcha manually.

To check if a Verified Token is the result of using the TestKey, the decoded token information (JSON) will have the corresponding code (301) and codeDesc ‘valid-test:captcha-solved-via-testkey’.

 
{
  "success": true,
  "tokeninfo": {
    "code": 301,
    "codeDesc": "valid-test:captcha-solved-via-testkey",
    ...
  }
}

See our Developers Guide for more information on MTCaptcha JavaScript APIs, and Token Codes

NOTE:

The purpose of this feature is to support automated unit tests for user interface and interactions. It is not intended to support long running load or performance tests. The captcha may temporarily block test server IP(s) is loaded for long periods of time.

REFERENCES

Stack Overflow: How to call a JavaScript function from within Selenium

Stack Overflow: Selenium : Call javascript function on page.

Can I customize the MTCaptcha Look and Feel with Custom Styles

Yes, MTCaptcha supports full customization of style and color to match the look and feel of your website. This can be done via pre-defined themes as well as detailed style settings, using the javascript initialization config object.

For specifics on how to do this, please see the Code Builder, Custom Style tab.

 
mtcaptcha-custom-theme-examples
 
mtcaptcha-custom-css-styles-code-builder

What are the width and height dimensions of the MTCaptcha Widget 

The widget is partially responsive, and have the physical dimensions below to fit on forms and devices factors.

  • Maximum width: 350px (default)

  • Minimum width: 265px

  • Default height: 185px (can become taller due to long or customized messages)

Can I customize the MTCaptcha message text and LOCALIZATION languages

Yes, MTCaptcha supports localization (internationalization) for different languages out of the box, as well as customization of specific messages. Both can be done using JavaScript via the initialization config object.

For specifics on how to do this, please see the Code Builder, Custom Language tab.

custom-language.png


Can you FALLBACK TO MTCAPTCHA FROM RECAPTCHA

Yes, you can use MTCaptcha as a fallback in situations where reCaptcha fails to load (eg sometimes in China, or for users behind corporate firewalls that require specific IP white listing ).

Sample javascript fallback code can be found below on Github.

https://github.com/mtcaptcha-public/MTCaptcha-Javascript-Fallback-from-ReCaptcha

See Also

To learn how to IP Whitelist MTCaptcha if needed for secure networks, see FAQ - Whitelist MTCaptcha Service For Firewalls

Can you Decrypt and validate the MTCaptcha Verified Token directly without making external API calls

Yes. The standard and easiest method of validating the MTCaptcha verified token is via the checktoken API, but you can decrypt and decode the token directly on server side without making any external API calls to mtcaptcha.com. You will need the site PrivateKey and the ability to calculate MD5 hash and decrypt via AES cipher.

Decrypt Token Server Side Sample Code (No API)

The sample java code to decrypt and decode the token can be found at the github project here :

https://github.com/mtcaptcha-public/MTCaptcha-Direct-Token-Decryption

and reference documentation here

Decode with API

The checktoken API example is as below, see Developers Guide for more details

  https://service.mtcaptcha.com/mtcv1/api/checktoken?privatekey=<privatekey>&token=<verifiedtoken-string>

How Do You Whitelist MTCaptcha Service For Firewalls

For environments where websites/services have to be explicitly whitelisted in the firewall, the ports are 80 (HTTP) and 443 (HTTPS) and the full list of MTCaptcha Plugin & API service IPs are:

  • 52.214.217.96
  • 35.165.137.56
  • 13.228.176.242
  • 13.234.26.164
  • 18.228.103.117
  • 18.162.183.0
  • 47.52.173.54

MTCaptcha Javascript Plugin uses a redundant dual-domain dual-network design which allows it to be delivered via both high performance dynamic CDN edge nodes as well as the more manageable and persistent static edge nodes IP’ed above.

Browser Compatibility

The captcha plugin is tested and supports the following browsers:

Desktop Browsers

  • Chrome

  • Firefox

  • IE 9 and upwards, Edge

  • Safari

Mobile Browsers (iOS & Android)

  • Safari

  • Chrome

  • Android native browser

  • Firefox

  • Opera

Browser Requirements for MTCaptcha

MTCaptcha plugin requires javascript and cookies to be enabled on the browser.

The MTCaptcha cookies does not store any permanent or temporary identification of the browser, device or user. It is used only for managing captcha transaction and browser validation; Therefor GDPR and privacy policies related to cookie consent are not applicable and not needed.

To enable error messages for users without javascript, noscript tags can be added within the target div. eg:

<div class=’mtcaptcha’> 
  <noscript> your no script message here </noscript>
</div>

What does The MTCaptcha Free Trial Mean

MTCaptcha offers 30 day free trial to new accounts on registration for paid plans. During this trial period the account is completely free and can be cancelled any time without incurring any charges. If the account continues to be active after the 30 days trial period, charges will be incurred from then on invoiced on a monthly pro-rated basis and the total number of sites active. This means the first 30 days of any newly created account is always completely free.

Account can be cancelled via the Account settings within the MTCaptcha Admin Portal ( https://admin.mtcaptcha.com ).

How is the monthly invoice fee calculated

Invoice is generated and charged against each account at the start of each calendar month for the previous month (after the fact).

The charges are calculated based on the plan selected for each site, pro-rated per day.

Example

If Account X had the following 2 sites and plans for January (which has 31 days)

  • Site 1, Online-Games (games.example.com) with Plan BASIC ($30 / month) active from Jan 1st

  • Site 2, Pet-Grocery (petfoods.exmaple.com) with Plan PRO ($120 / month) active from Jan 16th

The monthly charge for the account would be

($30) + ($120 x 16/31 ) = $91.94 (additional taxes may incur)

GDPR-Brand-checked.png

GDPR ComplianCE

MTCaptcha service is privacy conscious and GDPR compliant.

Captcha Plugin

The MTCaptcha captcha plugin has clear privacy and usage terms out of the box. The service does not record or store any personal identifiable information, end user internet IPs addressed are obscured to 3 octets in all systems. All logs are stored with encryption at rest with monitoring and access audit trails. Our privacy policy also means we will never share or sell any of the usage logs or serve advertisement.

Admin Portal

The MTCaptcha Admin Portal used to manage captcha and site settings do record personal identifiable information of its users for the purpose of administration, security and auditing. These records are fully encrypted at rest and any access are strictly controlled and recorded. Access to the portal are also protected by 2 factor authentication. To request access/correction/erasure of these personal records on the Admin Portal in compliance with GDPR please submit inquiry to support@mtcaptcha.com. Please be prepared to provide proof of identity for such requests.

Also see overview of GDPR and Captcha

Accessibility and VPAT Compliance

MTCaptcha captcha plugin is WCAG 2.0 and 2.1 AAA compliant.

For full VPAT conformance report see MTCaptcha Captcha Plugin Accessibility Conformance Report (International Edition), which covers both United States Revised Section 508 and European EN 301 549.

Play this video to see how users with screen readers experience MTCaptcha.

 

The widget supports assistive technologies and standards and is optimized for users with limits on vision, hearing and fine motor control. Capabilities include and are not limited to:

  • Support Screen Readers with clear labels, roles, instructions and state changes.

  • Support keyboard only operation, with keyboard shortcuts to provide quick navigation and control

  • High contrast, and supports end user custom font size or disabled CSS.

  • Image and Audio dual mode captcha

  • Supports Low Friction Invisible Captcha mode to ease effort for real humans



Do I need to Update my Websites privacy policy to use MTCaptcha

No. Though it is generally a good practice to update site terms and policies to reflect third party services used, the MTCaptcha plugin contain stand alone and clearly visible links to privacy and terms. The widget also does not store or record personal identifiable information or identifier via cookies and therefore does not require explicit user acceptance of these cookies.

Will MTCaptcha share or sell usage data with third parties or serve advertisement

No, MTCaptcha recognizes that any usage data is private to our customer and their site(s). We have explicit policies and standards in place to never share or sell these data, nor serve advertisement or targeted messages to the captcha plugin users.

Data maybe shared with third parties in a strictly limited, anonymized and confidential manner for the sole purpose of delivering and improving the captcha service itself.

For complete details see our Captcha Privacy Policy.

What Does ‘MT’ stand for in MTCaptcha

Some argue that it stands for ‘Master of Tech’, others believe it means ‘Mount Captcha’, while legend has it that it really means ‘More Than Captcha’. Let us know which one you like best: