Proving you're human with a wave, not a password.

A gesture-based authentication system that replaces frustrating CAPTCHAs and 2FA with simple hand gestures — AI-driven, password-less security that feels human.

My RoleUX Research, Design & AI Model
CourseUX & AI · NYU
ScopeResearch → Working Model
ToolsML5.js · Figma
Gesture demo
✌️
Peace
Gesture 01
👍
Thumbs Up
Gesture 02
Open Palm
Gesture 03
👌
OK Sign
Gesture 04

The 30-second version

The Problem

Passwords, CAPTCHAs, and 2FA make logging in exhausting — security that frustrates the people it protects.

The Gap

Every fix adds friction or fragility. Nothing proves you're human in a way that's fast, private, and human.

The Solution

GestureCAPTCHA: verify identity with intuitive hand gestures, recognized locally by on-device AI.

The Impact

A working ML model + a flow designed around five real user mental models around trust and consent.

01 — The Problem

If security is meant to make us feel safe, why does it make us feel so frustrated?

We verify our identity constantly — work accounts, university portals, even recipe sites. Each time we hit the same gatekeepers: passwords, CAPTCHAs, and Two-Factor Authentication. Whether it's hunting for your phone to enter a six-digit code or squinting at a CAPTCHA that can't decide if there's a motorcycle in the image, the process feels exhausting. Security has become a chore we resent.

90%

Of users get frustrated by the elaborate, time-consuming process of logging into a simple website.

70%

Of CAPTCHA attempts need a second try — and many users just close the browser and give up.

1 phone

Lost or dead, and your entire digital life is locked — banking, social, even laundry machines.

02 — Research

I studied not just what failed, but how it made people feel.

I combined user interviews, sentiment analysis of Reddit forums, and observation studies during real login sessions. Affinity mapping the frustration surfaced five emerging themes — and one central tension.

🔁
Over-friction

Repeated codes, frequent logouts, and "remember me" that never does turn logins into a constant chore.

📱
Device fragility

A lost or dead phone locks people out of everything — 2FA ties identity to a single fragile object.

🤖
CAPTCHA distrust

Seen as outdated and ineffective — and AI is making them harder for humans while easier for bots.

The core tension: convenience vs. security. Users want strong protection but hate friction — especially when it feels irrelevant.

"AI's role becomes one of contextual intelligence — learning when to trust, while humans stay in charge of final consent."
Insight from my Cognitive Offloading Map
03 — The Gap

Every existing fix traded one frustration for another.

CAPTCHAs are obsolete and infuriating. SMS 2FA is fragile and slow. App-based 2FA adds steps. None of them prove "I'm human" in a way that's fast, private, and actually pleasant. That was the opening.

What existed

  • CAPTCHAs that fail and feel irrelevant
  • 2FA tied to a fragile, losable phone
  • Extra apps and tab-switching to approve
  • Six-digit codes entered over and over
  • Security that erodes the trust it needs

The opportunity

  • Prove humanity with something bots can't fake
  • Keep verification on-device and private
  • Use gestures Gen Z already does naturally
  • Make the moment fast, playful, and clear
  • Let the user start and consent to the check
04 — Ideation

Three AI directions. I pressure-tested each against real friction.

📳

Haptic Signature

Mimic a personalized vibration pattern like a rhythm game — a tactile password.

Cut: needs supported hardware; hard to recall
📍

Adaptive Context

Auto-login from trusted locations, network patterns, and behavioral biometrics.

Cut: passive, opaque — fails the consent test
Chosen
✌️

Gesture Check

Verify with intuitive hand gestures recognized by on-device computer vision.

Won: human, playful, bot-resistant, private
05 — The Solution

GestureCAPTCHA: a wave to prove you're real.

Why gestures? Gen Z communicates with them constantly — peace sign, thumbs up. They're playful and familiar, yet bots can't perform human gestures convincingly. So they solve the security problem and the frustration problem at once. The user performs a short sequence; on-device AI verifies it locally and never stores the image.

06 — Designing Around Trust

Five user mental models shaped every screen.

Gesture input is novel, and novelty in a security flow breeds anxiety. I designed each decision against how users actually think about being watched, surprised, and asked to act.

"If I'm using my camera for a security check, it could be recording me — that feels risky."
Design implication

A clear local-only disclaimer: "GestureCAPTCHA verifies your gesture locally and never stores your image."

"I want to be the one to start the interaction — not have the system surprise me."
Design implication

An opt-in "Start Gesture Check" button instead of automatic detection — giving the user agency and consent.

"If I don't know the name of a gesture, I can't be expected to perform it correctly."
Design implication

Pair every gesture name with a visual demo, and let users pick gestures they already recognize.

"If it opens in a new tab, it looks like spam."
Design implication

Keep the entire verification embedded in the same tab to preserve continuity and trust.

"I need to know what's about to happen before I'm asked to do something."
Design implication

A brief splash screen prepares the user for what's expected, removing disorientation.

07 — How I Built It

Two phases: design the trust, then train the model.

01
Research

UX research & synthesis

Interviews, Reddit sentiment analysis, and login observation, synthesized through affinity and cognitive-offloading maps to define where AI helps and where the human stays in control.

02
Sketch

UI sketches & flow

Mapped the splash → consent → gesture sequence → verified flow, dividing clearly what the AI does from what the human decides.

03
Prototype

High-fidelity prototype

Designed the embedded, single-tab experience with end-to-end-encryption cues, step counters, and gesture demos baked into each step.

04
Build

Working AI model

Trained a gesture-recognition model in ML5.js and connected it to the flow — a functional proof that the concept runs in a real browser.

08 — Impact

A concept that runs — and a clear answer to the friction problem.

Built & working
Live ML model

A functioning gesture-recognition model in ML5.js, proving the flow works end-to-end in a real browser — not just in mockups.

Built & working
5 mental models → UI

Every interaction decision maps to a documented user belief about privacy, consent, and control — design grounded in evidence.

Projected at scale
No phone, no codes

Removes the device-dependency that locks people out — verification needs only a camera the user already has.

Projected at scale
Bot-resistant by design

Human gestures are hard for bots to fake convincingly, addressing the AI-vs-CAPTCHA arms race head-on.

09 — Reflections

What I learned designing security people don't hate.

Trust is the real UX

In security, perceived safety matters as much as actual safety. The disclaimer and opt-in mattered as much as the model.

Design with AI, not for it

The cognitive-offloading map kept the human in charge of consent while AI handled the repetitive verification — a balance worth defending.

Accessibility next

Gestures aren't universal. The next round needs gesture alternatives and testing with users who can't perform standard hand signs.