We are looking to run cryptographic challenge as a required form field to slow down brute force (we cannot filter by source IP or any other common element).
Every time the client send the form, a CPU intensive challenge will have to be solved (it should take no more than 2 seconds to solve it) would be acceptable for clients (Captcha are not a valid option unfortunately as the challenge need to be completely passive/automated).
Do you know any kind of algorithm that would fit this use-case ? The challenge need to be unique and should not be reusable to make sure every single sent form will have to solve its own challenge.
Would asking the browser to brute force a sha+salt hash and send the original string to the server an option ? ( I would give the client the length of the string with the payload )
You are looking for a JS Challenge like CloudFlare JavaScript anti-bot challenges.
I personally experimented that technique as it looked a candidate good way to slow down brute force attacks.
Remember that there are solutions like this https://github.com/evyatarmeged/Humanoid to bypass challenges such as the Cloudflare JS challenge above mentioned.
One issue I ran into is that a decent challenge for a Desktop PC is often a pretty hard challenge for a mobile device of 4 yrs ago. This means that what for a desktop PC can be a 2 sec challenge, for an old mobile device can be a 10 seconds challenge. For this reason we gave up on this solution.
Why asking them to solve a cryptographic challenge? Maybe serve a value and ask back for that value after 3 seconds, to consider the form valid.
There are already solutions. In the project I mentioned above, we used AntiBot Cloud (https://antibot.cloud/en.html).
With a quick search I came across also to: