MTCaptcha FAQ

Does MTCaptcha supports Invisible Captcha ?

scatter2.png

Yes, MTCaptcha supports invisible captcha (NoCaptcha Captcha).

Research has shown that captcha increases friction, adding on average 10 seconds to online transactions and turn aways.  

Our captcha service uses Adaptive Complexity backed by an advanced risk algo to lower user frustration for real users and substantially lowers bounce rate.

MTCaptcha also supports completely Invisible Captcha (noCaptcha), resulting in zero friction to 95% of all real users and a first attempt pass rate of over 99.5% for humans. (statistics from blended customer usage).

We currently support 2 types of invisible captcha

  • LOW FRICTION INVISIBLE CAPTCHA
  • Where the captcha is completely invisible for most users and only shown when some level of risk is detected by MTCaptcha’s adaptive Risk Engine. This significantly lowers the friction for real users resulting in more successful transactions while making it hard on bots.  
  • The Adaptive Risk Engine continuously monitors the network environment and usage patterns to adjust sensitivity and risk scores.  
  • IP WHITE LIST INVISIBLE CAPTCHA
  • Where the captcha is completely invisible for users coming from internet IP addresses matching a defined IP white list.    

See Developers Guide - Invisible Captcha for more details on how to enable and configure this.


What is proof of work on MTCaptcha?

MTCaptcha supports ‘Adaptive Proof of Work’ as part of the build in captcha capability, so what does that mean?

Proof of Work is basically a ‘large effort of computation’, commonly used to deter high volume automated attacks. It helps even the playing field between attacker and defender where traditionally its substantially cheaper to attack than defend. With Proof of Work attacks are :

  • More Complicated and difficult to setup (need to run virtual browsers and complicated scripts)
  • More Expensive (require much more compute power and servers)
  • Significantly Slower, where MTCaptcha’s proof-of-work also includes proof-of-elapsed-time .

Adaptive Proof of Work

Of course having your browser pause for many seconds to execute a proof of work every time can be annoying, so just as we have risk based adaptive complexity for the captcha image, we also included adaptive complexity to our Proof of Work. This means for most real users the proof of work is completely undetectable taking less than 100 milliseconds, and only increases in difficulty and time-delay for specific networks or regions where the Adaptive Risk Engine perceives higher risk.

Best Protection Against

The proof of work is best for protecting against API level brute force or denial attacks, such as

  • Brute Force Password Attacks
  • Brute Force Key or ID Attacks

Note: Proof of Work is an application layer check, and can not protect against network layer denial of service attacks such has TCP SYN Flood or TCP Split Handshake attacks which will require network layer infrastructure to mitigate. If you have any questions or is uncertain the type of attack you are under feel free to contact us via our contact page.

Also see Wikipedia: Proof of Work


Does MTCaptcha works in China?

MTCaptcha-ChinaPerformance.png

Yes, MTCaptcha works in China.

Dedicated servers, routing and monitoring are in place to insure MTCaptcha captcha service is consistently delivered in mainland China at high speeds.


How do I run Automated Tests with MTCaptcha?

mtcaptcha-auto-test-screenshot.png

MTCaptcha supports automated browser UI/UX testing via tools like Selenium,  without having to disable the captcha plugin.  

There are two methods to enable automation test scripts to consistently solve the captcha:

Method 1:

  • Call javascript function mtcaptcha.enableTestMode with the TestKey, once the MTCaptcha plugin is loaded. eg:
  •   mtcaptcha.enableTestMode(“<TestKey>”);
  • Than enter the text string ‘1111111111’ into the captcha text form
  • (entering any other string eg ‘2222222222’ will result in verification failure)

Method 2:

  • Set the TestKey within MTCaptcha’s javascript initialization config object, before importing/loading the MTCaptcha plugin, eg
  • var mtcaptchaConfig = {“sitekey”:“<SiteKey>”,“enableTestMode” :“<TestKey>”};
  • Enter the text string ‘11111111’ into the captcha text form  
  • (entering any other string eg ‘22222222’ will result in verification failure)

The TestKey for each site can be found in the Admin Portal along with the SiteKey and PrivateKey. Usually with the prefix ‘MTPrivQA-’. This key should be kept secrete.

The captcha plugin will generate a Verified Token once solved via a TestKey, the same as if a user solved the captcha manually.

To check if a Verified Token is the result of using the TestKey, the decoded token information (JSON) will have the corresponding code (301) and codeDesc ‘valid-test:captcha-solved-via-testkey’.


{  "success": true,  "tokeninfo": {    "code": 301,    "codeDesc": "valid-test:captcha-solved-via-testkey",    ...  }}

See our Developers Guide for more information on MTCaptcha JavaScript APIs, and Token Codes

NOTE:

The purpose of this feature is to support automated unit tests for user interface and interactions. It is not intended to support long running load or performance tests. The captcha may temporarily block test server IP(s) if it is load tested for long periods of time.

REFERENCES

   Stack Overflow: How to call a JavaScript function from within Selenium

   Stack Overflow: Selenium : Call javascript function on page.


What is difference between Production and Development Domains?

MTCaptcha allows the account administrator to configure website domains for Production and Development separately. Since there is no limit to the number of development domains, can’t we just set everything as Development domain?

Well, the key difference is how MTCaptcha Risk Engine learns and profiles site behavior, as it adjusts captcha complexity and challenge strategies based on usage pattern. Development and QA Environments have very different usage patterns compared to Production, compounded with often repetitive and automated test traffic. This is especially important for risk sensitive features like Low Friction Invisible Captcha.  

To insure MTCaptcha can best profile and protect your site against bots and abuse while minimizing friction to real human users, it is important to correctly identify Production and Development domains in site settings.


Can I Customize the MTCaptcha look and feel with Custom Styles?

Yes, MTCaptcha supports full customization of style and color to match the look and feel of your website. This can be done via pre-defined themes as well as detailed style settings.

For specifics  on how to do this, please see the Code Builder, Custom Style tab.

mtcaptcha-custom-theme-examples
mtcaptcha-custom-css-styles-code-builder

What are the Width and Height dimensions of the MTCaptcha Widget?

The standard widget is partially responsive, and have the physical dimensions below to fit on forms and devices factors.

sample-01-sm.png
  • Maximum width: 350px         default)
  • Minimum  width: 270px
  • Default height: 185px (can become taller due to longer or customized messages)

The Modern Mini widget is by default responsive, and have the physical dimensions below to fit forms and different devices factors.

sample-mini-01-sm.png
  • Maximum width: 600px (can be set to fixed width)
  • Minimum  width: 270px
  • Default height: 45px (can be set to minimum of 42px and maximum of 55px)  


Can I customize the MTCaptcha text messages and localization languages?

Yes, MTCaptcha supports localization (internationalization) for different languages out of the box, as well as customization of specific messages. Both can be done using JavaScript via the initialization config object.

For specifics on how to do this, please see the Code Builder, Custom Language tab.

custom-language.png

Can you fallback to MTCaptcha from ReCaptcha?

Yes, you can use MTCaptcha as a fallback in situations where reCaptcha fails to load (eg sometimes in China, or for users behind corporate firewalls that require specific IP white listing ).  

Sample javascript fallback code can be found below on Github.  

 https://github.com/mtcaptcha-public/MTCaptcha-Javascript-Fallback-from-ReCaptcha

See Also

 To learn how to IP Whitelist MTCaptcha if needed for secure networks, see FAQ - Whitelist MTCaptcha Service For Firewalls


Can you decrypt and validate the MTCaptcha verified token directly without making external API calls?

Yes. The standard and easiest method of validating the MTCaptcha verified token is via the checktoken API, but you can decrypt and decode the token directly on server side without making any external API calls to mtcaptcha.com. You will need the site PrivateKey and the ability to calculate MD5 hash and decrypt via AES cipher.

Decrypt Token Server Side Sample Code (No API)

The sample java code to decrypt and decode the token can be found at the github project here :

   https://github.com/mtcaptcha-public/MTCaptcha-Direct-Token-Decryption

  and reference documentation here

Decode with API

The checktoken API example is as below, see Developers Guide for more details

 https://service.mtcaptcha.com/mtcv1/api/checktoken?privatekey=<privatekey>&token=<verifiedtoken-string>


How do you Whitelist MTCaptcha service for Firewalls?

For environments where websites/services have to be explicitly whitelisted in the firewall, the ports are 80 (HTTP) and 443 (HTTPS) and the full list of MTCaptcha Plugin & API service IPs are:

  • 52.214.217.96
  • 35.165.137.56
  • 13.228.176.242
  • 13.234.26.164
  • 18.228.103.117
  • 18.162.183.0
  • 47.52.173.54
  • 8.210.253.57
  • 8.217.100.38

MTCaptcha Javascript Plugin uses a redundant dual-domain dual-network design which allows it to be delivered via both high performance dynamic CDN edge nodes as well as the more manageable and persistent static edge nodes IP’ed above.


Browser Compatibility

The captcha plugin is tested and supports the following browsers:

DESKTOP BROWSERS

  • Chrome
  • Firefox
  • IE 9 and upwards,  Edge
  • Safari

MOBILE BROWSERS (IOS & ANDROID)

  • Safari
  • Chrome
  • Android native browser
  • Firefox
  • Opera

Browser requirements for MTCaptcha

MTCaptcha plugin requires javascript and cookies to be enabled on the browser.

The MTCaptcha cookies does not store any permanent or temporary identification of the browser, device or user. It is used only for managing captcha transaction and browser validation; Therefor GDPR and privacy policies related to cookie consent are not applicable and not needed.

To enable error messages for users without javascript, noscript tags can be added within the target div. eg:

<div class=’mtcaptcha’>
 <noscript> your no script message here </noscript>
</div>


What does the MTCaptcha FREE Trial mean?

MTCaptcha offers 30 day free trial to new accounts on registration for paid plans. During this trial period the account is completely free and can be cancelled any time without incurring any charges. If the account continues to be active after the 30 days trial period, charges will be incurred from then on invoiced on a monthly pro-rated basis and the total number of sites active. This means the first 30 days of any newly created account is always completely free.

Account can be cancelled via the Account settings within the MTCaptcha Admin Portal ( https://admin.mtcaptcha.com ).


Is there limit to the Volume of Captcha a Site can use ?

MTCaptcha plans have the following default usage quota limits:

 Free Plan:    10,000 captcha evaluation (transactions) per month

 Pro  Plan:    1 Million captcha evaluation (transactions) per month

 Business Plan:  2 Million captcha evaluation (transactions) per month

* For clients that require volume beyond the default quota, please contact sales@mtcaptcha.com for a custom plan.

* Only successful captcha transactions are counted, failed and attack/bot traffic are not counted towards the quota  

* For Pro, Business and Enterprise plans, MTCaptcha will NOT throttle or block usage even if the quota is exceeded to ensure service continuity under unexpected traffic spikes or special events.  


For websites that require or want to explicitly declare all cookies used, following is the standard MTCaptcha Cookies Declaration.

CookieCookie NamesPurpose
Bot Detection Security Cookie (MTCaptcha) mtv1Pulse mtv1ConfSum mtv1Pong mtv1*These cookies are used to secure the website from unwanted bots and automated scripts and help verify human users. These cookies collect browser and widget configuration. These cookies do not track individuals and does not collect or store personally identifiable information. See MTCaptcha's Captcha Plugin Privacy Policy


Does MTCaptcha create or use 'Third Party' Cookies?

No, MTCaptcha’s captcha widget does not create or use third party cookies. Any cookies created and used by the captcha widget are set within the sandbox of the widget iframe which preserves the privacy and security of the client website and end users.

This also means MTCaptcha will not be disrupted or blocked by third party cookie and ad blockers.          


How is the monthly Invoice fee Calculated?

Invoice is generated and charged against each account at the start of each calendar month for the previous month (after the fact).

The charges are calculated based on the plan selected for each site, pro-rated per day.

Example

If Account X had the following 2 sites and plans for January (which has 31 days)

  • Site 1,  Online-Games (games.example.com)     with Plan BASIC ($30 / month)    active from Jan 1st
  • Site 2, Pet-Grocery     (petfoods.exmaple.com) with Plan PRO    ($120 / month)   active from Jan 16th

The monthly charge for the account would be

      ($30) + ($120 x 16/31 ) = $91.94      (additional taxes may incur)


What are the supported Payment Methods?

For those using the paid for Pro, Business and Enterprise level service plans, MTCaptcha supports payments via Credit Card and Direct Deposit with Purchase Orders.

secure-card.png

The most common method is to store a credit card with the account using the MTCaptcha Admin system, this card will be deducted monthly based on usage for the previous month. The credit card information is fully secured and stored only within a dedicated PCI security compliant payment gateway system by PayPal.

direct-deposit.png

Invoicing via Purchase Order (PO) and bank to bank Direct Deposit is also supported for enterprise customers. This must be paid ahead of time with a minimum of 12 month service charge. Once paid, this will be stored within the account as prepaid credit that will be deducted monthly based on usage for the previous month. The prepaid credit system also gives our customer the flexibility to add and change service plans after payment. For more information on how to get a PO invoice and direct deposit details, please email support@mtcaptcha.com or submit an inquiry at our Contact Us page


GDPR Compliance

MTCaptcha service is privacy conscious and GDPR compliant.

Captcha Plugin

The MTCaptcha captcha plugin has clear privacy and usage terms out of the box. The service does not record or store any personal identifiable information, end user internet IPs addressed are obscured to 3 octets in all systems. All logs are stored with encryption at rest with monitoring and access audit trails. Our privacy policy also means we will never share or sell any of the usage logs or serve advertisement.

Admin Portal

The MTCaptcha Admin Portal used to manage captcha and site settings do record personal identifiable information of its users for the purpose of administration, security and auditing. These records are fully encrypted at rest and any access are strictly controlled and recorded. Access to the portal are also protected by 2 factor authentication. To request access/correction/erasure of these personal records on the Admin Portal in compliance with GDPR please submit inquiry to support@mtcaptcha.com. Please be prepared to provide proof of identity for such requests.

Also see overview of GDPR and Captcha


Accessibility and VPAT Compliance

MTCaptcha captcha plugin is WCAG 2.0 and 2.1  AAA compliant.

For full VPAT conformance report see MTCaptcha Captcha Plugin Accessibility Conformance Report (International Edition), which covers both United States Revised Section 508 and European EN 301 549.  

Play this video to see how users with screen readers experience MTCaptcha.

Level Triple-A conformance, W3C WAI Web Content Accessibility Guidelines 2.1

The widget supports assistive technologies and standards and is optimized for users with limits on vision, hearing and fine motor control. Capabilities include and are not limited to:

  • Support Screen Readers with clear labels, roles, instructions and state changes.
  • Support keyboard only operation, with keyboard shortcuts to provide quick navigation and control
  • High contrast, and supports end user custom font size or disabled CSS.
  • Image and Audio dual mode captcha
  • Supports Low Friction Invisible Captcha mode to ease effort for real humans

MTCaptcha constantly adds new languages to its audio captcha, with each audio language carefully tuned and balanced between distortion and articulation. The audio captcha currently supports the following non english languages:

  • Chinese (zh)
  • Danish (da)
  • Dutch (nl)
  • Finnish (fi)
  • French (fr)
  • German (de)
  • Italian (it)
  • Spanish (es)
  • Swedish (sv)

Please feel free to contact us to request additional audio languages.


Do I need to update My Websites Privacy Policy to use MTCaptcha

No. Though it is generally a good practice to update site terms and policies to reflect third party services used, the MTCaptcha plugin contain stand alone and clearly visible links to privacy and terms. The widget also does not store or record personal identifiable information or identifier via cookies and therefore does not require explicit user acceptance of these cookies.


Will MTCaptcha share or sell usage data with Third Parties or Server Advertisement?

No, MTCaptcha recognizes that any usage data is private to our customer and their site(s). We have explicit policies and standards in place to never share or sell this data, nor serve advertisement or targeted messages to the captcha users.

Data maybe shared with third parties in a strictly limited, anonymized and confidential manner for the sole purpose of delivering and improving the captcha service itself.  

For complete details see our Captcha Privacy Policy.


Content Security Policy (CSP) Headers with MTCaptcha

Following are two examples on how to enable MTCaptcha with Content Security Policy (CSP) HTTP Headers,

SIMPLE CSP HEADERS (LESS SECURE)

The simplest is to set the following headers though this provides weak security as it requires ‘unsafe-inline’

Content-Security-Policy: script-src 'self' 'unsafe-inline'  https://service.mtcaptcha.com https://service2.mtcaptcha.com;  
Content-Security-Policy: frame-src https://service.mtcaptcha.com https://service2.mtcaptcha.com;

SECURE CSP HEADERS

For a more secure CSP setting without using dynamic nonce or unsafe-inline:

1 ) Create a new file ‘mtcaptcha-integration.js’ and place the mtcaptcha initialization and import code in this. For complete mtcaptcha initialization and import settings please see MTCaptcha’s Code Builder and MTCaptcha’s Developer Guide.


   // This code should be placed in a file called mtcaptcha-integration.js
   var mtcaptchaConfig = {
     "sitekey": ""
    };
  (function(){var mt_service = document.createElement('script');mt_service.async = true;mt_service.src = 'https://service.mtcaptcha.com/mtcv1/client/mtcaptcha.min.js';(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(mt_service);
  var mt_service2 = document.createElement('script');mt_service2.async = true;mt_service2.src = 'https://service2.mtcaptcha.com/mtcv1/client/mtcaptcha2.min.js';(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(mt_service2);}) ();

2) Import the mtcaptcha-integration.js javascript on the webpage using the following script tag

                                           <script src="mtcaptcha-integration.js" ></script>

3) Add the following CSP headers

Content-Security-Policy: script-src 'self'  https://service.mtcaptcha.com https://service2.mtcaptcha.com;  
Content-Security-Policy: frame-src https://service.mtcaptcha.com https://service2.mtcaptcha.com;

What does ‘MT’ Stand for in MTCaptcha?

Some argue that it stands for ‘Master of Tech’, others believe it means ‘Mount Captcha’, while legend has it that it really means ‘More Than Captcha’.   Let us know which one you like best: