Stop Using CAPTCHA. Start Measuring Entropy.
Source: Dev.to
The Problem with CAPTCHAs
In late 2024 researchers at ETH Zurich published Breaking reCAPTCHAv2, showing that modern YOLO‑based vision models can solve Google’s image CAPTCHAs with 100 % accuracy. The “I am not a robot” checkbox has effectively become a welcome mat for bots.
According to the 2025 Imperva Bad Bot Report, automated traffic now accounts for 51 % of all internet activity, making human users the minority on their own network.
The current reaction—“Proof of Personhood” (scanning IDs or faces)—is a dystopian over‑correction. What we really need is a way to verify what a user is (biology) rather than who they are (identity).
Measuring Human Entropy
Human interaction is inherently noisy:
- Keystroke intervals are never perfectly regular.
- Users roll over keys, pause to think, and type common bigrams (e.g., “th”, “er”) faster.
These characteristics form a keystroke‑dynamics signature, a behavioral biometric that is extremely hard for bots to emulate without degrading performance.
isHumanCadence Library
isHumanCadence is a lightweight, privacy‑focused JavaScript library that analyzes the timing of keystrokes—not the content. It runs entirely in the browser, sends no data to a server, and only knows how you typed.
How It Works
The library measures four primary biological constraints:
| Metric | Description |
|---|---|
| Dwell Time | Duration a key is physically depressed. Humans rarely tap exactly 50 ms each time. |
| Flight Time | Interval between releasing one key and pressing the next. |
| Rollover Rate | Overlap where the next key is pressed before the previous one is released. Bots often type strictly sequentially. |
| Entropy | Statistical variance of the timing deltas. |
To avoid “flickering” (rapid score changes when a user pauses), a Schmitt Trigger with hysteresis is used:
- Human – score ≥ 0.70
- Unknown – 0.60 ≤ score < 0.70
- Bot – score < 0.60
// Example usage – evaluate result
if (result.score >= 0.70) {
console.log(`Score: ${result.score}`); // 0.0 (Bot) → 1.0 (Human)
console.log(`Status: ${result.classification}`); // 'bot' | 'human' | 'unknown'
}// Start listening for keystrokes
cadence.start();
console.log('isHumanCadence: Listening for keystrokes...');The library attaches non‑intrusive listeners to the target element and uses performance.now() for sub‑millisecond precision.
Limitations and Future Directions
- Generative Keystrokes – Future AI agents could be trained on massive datasets of human typing patterns to deliberately “stumble,” mimicking entropy.
- Client‑Side Trust – Since the measurement occurs in the browser, a determined attacker could spoof the environment.
isHumanCadence is not a silver bullet; it’s a conversation starter for building filters that recognize humans by rhythm rather than passwords.
Conclusion
The web is drowning in AI‑generated noise. To preserve spaces for genuine human connection, we must shift from static identity checks to dynamic, behavioral biometrics that capture the messy, imperfect cadence of real users.
👉 GitHub: