What is a CAPTCHA?
CAPTCHA is an acronym that stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It is a type of challenge–response test used on websites across the internet to determine whether a user is a human or a bot.
How do CAPTCHAs work?
CAPTCHAs work by presenting tests that only humans can solve. Users are given tests at login, checkout and other key checkpoints — places where website owners are especially concerned with only allowing real humans to proceed. Because some bots can't process distorted letters, blurry images and other recognition-based information, only real humans are able to pass the test and go on to complete the desired action. If a CAPTCHA is not passed successfully, the website owner can be fairly certain that the user is a bot and prevent it from moving forward.
Types of CAPTCHAs
CAPTCHAs come in four standard types: text-based, image-based, audio, and math.
Text CAPTCHAs are the standard CAPTCHA, which presents a sequence of blurred and distorted letters and numbers against an off-white or colored background. The user must type the correct character sequence into the text field in order to pass. Alternative versions of text-based CAPTCHAs might use special characters, eliminate the white space between the characters or use characters of varying shapes, sizes and colors. This makes it harder for bots to solve the puzzle because they are unable to understand and recognize the variance in the characters the same way a human would.
Image CAPTCHAs present a series of images of common scenes, such as highways, parks or city streets. Users are asked to select only the pictures that contain certain objects, like buses, bicycles and crosswalks. In a more advanced version, an image of the same picture may be shown in different orientations. For example, a picture of a dog appears at different angles, and the user has to pick the image with the dog positioned upright. Image recognition is harder for bots than text recognition, and blurry images frustrate the bot’s recognition techniques. And image-based CAPTCHAs look for users that respond how a human would — which might not be the technically correct answer.
Some CAPTCHAs can be presented with an audio reading of the numbers or text rather than an image. This makes CAPTCHAs accessible to the blind, colorblind and sight-impaired. The user opts for the audio test, listens to it and types in the text they hear.
Math CAPTCHAs present an equation for the user to solve. For example, an image displays the problem “18 + 5 =?” and asks users to enter the correct answer. The user then types in the number 23 and clicks the button to continue. Math CAPTCHA technologies typically generate a new random equation on each visit to the page and each time the visitor fails to submit the correct answer. This technique keeps bots from learning a single right answer.
What are CAPTCHAs used for?
The purpose of CAPTCHAs is to identify malicious bots, so website owners can stop them from logging into an account, completing a financial transaction, opening a new account or executing another sensitive activity. Bots are used in a wide range of cyberattacks, including account takeover (ATO), transaction abuse, and web scraping. Using a CAPTCHA can be an effective way to weed out bad bots before they can wreak havoc on your site.
Disadvantages of CAPTCHAs
Although CAPTCHAs can enhance your site security and block some bots, they do have some significant disadvantages.
- Ineffective against sophisticated bots – Cybercriminals increasingly use CAPTCHA-solving bots and CAPTCHA farms to pass tests. This renders CAPTCHAs largely ineffective.
- Lower conversion rate – The more work users have to do to respond to the CAPTCHA, the more likely they will abandon the site altogether. This negatively impacts your website traffic, conversion rate and revenue.
- Negative user experience – CAPTCHAs can be frustrating to interpret and solve. This causes a negative consumer experience and drives abandonment. Users who have issues with a CAPTCHA may contact customer support, which requires internal resources from your team.
- Don’t support all browsers – Not all CAPTCHA technologies support all browsers, so not every CAPTCHA works for every user.
- False positives – CAPTCHAs have an 8% failure rate for human users. That number jumps to 29% if the text is case-sensitive. False positives lock out legitimate consumers who otherwise would have gone on to engage with your site.
- Inaccessible – People with poor eyesight, reading difficulties or hearing disabilities may have difficulty solving CAPTCHAs. If disabled people are blocked due to inaccessible CAPTCHAs, discrimination lawsuits may follow.
The idea behind CAPTCHAs isn’t bad, but the challenge-response approach needs to evolve for the modern era. And no, this doesn’t mean making challenges harder and harder until all users get so frustrated that they abandon your website. Instead, look for these key capabilities to replace traditional CAPTCHAs.
- User-friendly – Presents an easy-to-solve, single-step challenge that won’t frustrate users and drive abandonment.
- Accurate – Blocks bot traffic with few false positives and false negatives. Has strong anti-tampering mechanisms to detect and deter CAPTCHA-solving bots and CAPTCHA farms.
- Behind-the-scenes detections – Leverages techniques like invisible challenges, fingerprinting, identifying device capabilities, tracking user interactions and Proof of Work (PoW) to identify bots “behind-the-scenes” — without impacting user experience.
- Scenario-optimized – Only serves challenges to risky profiles, so most humans won’t be given a test. Dynamically adjusts difficulty based on device and risk profile.
- Accessibility – Accessible and solvable by people with disabilities.
How Does HUMAN Use CAPTCHAs?
Instead of a traditional CAPTCHA, HUMAN uses an alternative tool: Human Challenge. Human Challenge is a user-friendly verification that presents a visual challenge to differentiate humans from bots on web and mobile apps. Users simply “Press and Hold” — and HUMAN will do the rest.
Human Challenge is only served to risky user profiles, meaning that only 0.01% of human users will ever see it. Solve times for Human Challenge are 4-6x times faster than reCAPTCHA, and abandonment rates are 3-5x times lower. The frictionless “Press and Hold” button makes verification less frustrating and more human, which reduces abandonment rates and improves conversions while maintaining high accuracy.
What is Bot Detection? | How to Detect & Block Bad Bots
What is Bot Mitigation? | 4 Types of Bots & Botnets | How to Stop Bots
What is Credential Stuffing? Definition, Attack Types, & Solutions
Carding: What It is and How to Prevent It
What is Account Takeover? | How to Detect & Stop It