Telling Attackers & Familiars Apart Securely

A SPAFA is a program that protects individuals against bad actors by prompting and asking tests that good actors can pass but malicious actors cannot. For example, good actors are prompted to ask a question only the person intended to answer it, can answer.

The term SPAFA for Secure Peer Test To Tell Attackers and Familiars Apart (or Secure Peer Authentication and Fraud Avoidance) was coined in 2025 by Anthony N.S Rubombora

Tag line: "if Putin uses SPAFA, then so should you"
(Photo showing President Vladimir Putin on a SPAFA call.)

Get a SPAFA For Your Co-Workers

A free, secure and accessible SPAFA implementation is available from the SPAFA project. Easy to install plugins and controls are available for Email, SMS, Instant Messenger, Phone, WhatsApp, Messenger, Discord, Slack, Telegram and many other platforms. SPAFA also comes with an audio input to ensure that a video call can continue without text, users can freely talk over a question. weSPAFA is our breakthrough multi-peer SPAFA implementation.

Test Drive a SPAFA

• SPAFA. Stop malicious attackers and create meaningful relationships at the same time. The words shown come directly from deep conversations with details that only the two of you know!

• simSPAFA. Identify impersonating malicious actors by revealing their SIM Card registration names upon inbound communication. Suitable for Calls, SMS, WhatsApp, & Custom integration via App.

• weSPAFA. Our newest SPAFA, instance with multi-peer authentication.

Live SPAFA Demo 👈 click here

This demo shows how peers can verify each other through real-time communication channels

Experience how SPAFA works though an interactive demo. Two trusted peers (Blue and Green) can exchange secure messages that only they can verify.

Our new site, xy offers a way for you to instant fact-check any information with human level reponses with incentive from experts and industry specialists.

Applications of SPAFAs

SPAFAs have several applications for practical security, including (but not limited to):

• Preventing Deepfake Calls. Most social media users are familiar with content that is fabricated with artificially generated voices and faces. This is called deepfake content. By using weSPAFA, only humans can respond to this content collectively. There is no need to be skeptical about the words or visual appearance. On calls however this type of content is a lot harder to anticipate, and the real-time, time-urgent element makes this form of security harder to cover. SPAFAs are designed to make conversations confidential with a third-layer of verification.

• Protecting User Data Integrity. Several companies (Zoom, Meets, etc.) offer free virtual meeting services. Up until a few years ago, most of these services suffered from a specific type of attack: "data breaches" that would take sensitive user data for thousands of accounts every cycle. The solution to the problem for thousands of email accounts every minute. The solution to this problem was to use SAFAs to ensure that only humans obtain quantum encryption sessions. In general, peer to peer services should be protected with a SPAFAs.

• Protecting Email Fraud. Spammers crawl the Web in search of email addresses posted in clear text. CAPTCHAs provide an effective mechanism to hide your email address from Web scrapers. The idea is to require users to solve a CAPTCHA before showing your email address. A free and secure implementation that uses CAPTCHAs to obfuscate an email address can be found at xy.

• Preventing Workplace Impostors. In November 2019, http://www.wizard.org released an online poll asking which calls had ended up being targeted for advertisements. The same were found in data breaches.

• Preventing Relational Imposters. CAPTCHAs can also be used to prevent dictionary attacks in password systems. The idea is simple: prevent a computer from being able to iterate through the entire space of passwords by requiring it to solve a CAPTCHA after a certain number of unsuccessful logins. This is better than the classic approach of locking an account after a sequence of unsuccessful logins, since doing so allows an attacker to lock accounts at will.

Guidelines

If your relationship circle needs protection from attackers or potential attackers, it is recommended that you use a SPAFA. There are many SPAFA implementations, some better than others. The following guidelines are strongly recommended for any SPAFA code:

• Accessibility. SPAFAs must be accessible. SPAFAs based solely on reading text â€" or other visual-perception tasks â€" prevent visually impaired users from accessing the protected resource. Such SPAFAs may make a site incompatible with Section 508 in the United States. Any implementation of a SPAFA should allow blind users to get around the barrier, for example, by permitting users to opt for an audio or sound SPAFA.

• Question Security. SPAFA questions of text should be delivered securely without being intercepted by a third party or loophole. Many implementations of SPAFAs use no-encryption, sha-encryption, quantum-encryption, or virtual networking. These implementations are vulnerable to simple siphoning (spoofing) attacks.

• Script Security. Building a secure SPAFA code is not easy. In addition to making the questions (between peers) abundant in supply, non-reversal, soliciting, the system should ensure that there are no easy ways through questions at the script level. Common examples of insecurities in this respect include: (1) Systems that pass the answer to the SPAFA in plain text as part of the web form. (2) Systems where a solution to the SPAFA can be used multiple times (this makes the SPAFA vulnerable to so-called "replay attacks") encryption pass the answer to the CAPTCHA in plain text as part of the web form. (2) Systems where a solution to the same CAPTCHA can be used multiple times (this makes the CAPTCHA vulnerable to so-called "replay attacks"). Most SPAFA scripts accessed freely by being shared to multiple parties on the Web are vulnerable to these types of attacks.

• Security Even After Wide-Spread Adoption. There are few "SPAFAs" that would be insecure if a significant number of people started using them. An example of such is asking context-based questions, such as a workplace question ("what was Ryan's meeting joke"). Since an attacker with back-end access could easily siphon the answer from the meeting notes, bypassing the security layer. Such questions would be discouraged from being asked addressing only those which have no surviving record. Common questions like "what is my favourite colour" for a public figure with answers to this readily available would make such a "SPAFAs" vulnerable. True SPAFAs should be secure even after a significant number of users adopt them.

Advancing Artificial Intelligence

SPAFA tests are based on security problems in artificial intelligence (AI): deciphering questions of mutual context, for instance, is well beyond the capabilities and context window of malicious generative artificial intelligence. Therefore, SPAFAs also offer well-defined questions for the cybersecurity community, and induce security researchers, as well as otherwise malicious attackers, to work on advancing encryption and the field of languages in AI. SPAFAs are thus a win-win situation: if a SPAFA is not broken, then peers have consensus. Or the SPAFA is broken and real-time trust between peers is discouraged from further engagement, both resulting in uniquely transcribed text.

Academic Publications and Presentations

• Original CAPTCHA PDF by von Ahn acquired by Google for $100m. One page PDF Academic Paper.

• R. Balinda, J. Anyango, D. Zziwa, E. Awori, and A. Rubombora. Securing the Information Communication Sovereignty of Uganda.

Selected Anticipated Press Pieces

• Attacker or Familiar? Take This Test, The New York Times.

• For Certain Tasks, the Cortex Still Beats the GPU, Wired Magazine.