Why businesses are choosing CAPTCHA alternatives

CAPTCHA—Completely Automated Public Turing Test to Tell Computers and Humans Apart—was born in the late 90s. It aimed to prevent malicious bots from spamming engines, forums, and sign up or contact forms.

You may be familiar with its most popular implementation: Google reCAPTCHA. Google’s solution went through several changes over the years, from asking the user to write a word they see on the screen to running invisibly in the background and giving users a score.

But the internet is more complex than it was in the 90s. We’ve come a long way since Geocities and chat rooms. Not all bots are bad and it’s important for bot detection systems to be sophisticated enough to realize that. But when the bots are “bad”and successful, they have more power than ever. Which makes  it more vital than ever to be able to detect them — here are some effective alternatives for the modern detection era.

Accessibility Issues

Traditional approaches to bot detection have significant accessibility issues. More often than not, you’ll only find it in English. Audio options also include limited language options and image or text approaches are inaccessible to many people living with visual or auditory impairment.

Poor User Experience

People find the process of proving they’re a human frustrating. 1 in 5 people will leave a website rather than complete a puzzle. Every bounced visitor is a cart that’s not checked out, a form that’s not filled, or a contact inquiry that’s never sent.

Vulnerability to Bots

CAPTCHA’s main purpose is to stop spamming bots. And the reality is  the method just  doesn’t work that well.

In 2016, researchers at Columbia University showed that a low-cost CAPTCHA attack can solve about 70% of all reCAPTCHA challenges.

CAPTCHAs are tests designed to differentiate between computer and non-computer entities. They can fall into one of two categories:

1. Checkbox Verification

   One of the simplest CAPTCHAs is a checkbox you’ll need to add at the end of a form asking users to check or uncheck it. It is usually accompanied by a text like “I am human” or “I am not a robot”.

   The least robust of the options on this list, checkbox capabilities are easily emulated by malicious actors, making this a less-than-suitable alternative.

2. Text-Based Challenges

   Traditional text-based challenges involve a distorted text that a person has to understand and rewrite. The text may be 2D or 3D, one word or several words, and various distortions in place. However, a 2011 review of 15 text-based CAPTCHA schemes showed that 13 of them were vulnerable to attacks.

   An alternative could be text-based challenges in the form of questions. Common questions you’ll find include “What is 1+1” or “What color is the sky?” They have to be easy enough that everyone knows the answer (including bad bots).

The above are not the only way to verify the humanity of a website visitor. Unique alternatives include:

1.   Human Challenge

The Human Challenge is a simple and sophisticated way to prevent malicious bot behavior and an all-in-one CAPTCHA alternative. It does most of its work in the background, which means that most users won’t even interact with it, leading to a truly frictionless and fast experience.

If Human Challenge displays to a user (approximately 1 in 10,000), all they have to do is press and hold a button while HUMAN executes proof-of-work behind the scenes. The end result is a solve time that is 4-6 times faster than traditional methods and a page abandonment rate that is 3-5 times lower.

When a user hits your page’s edge, Human Challenge makes a “bot-or-not” decision. This gets trusted users recognized instantly and gives them a fast browsing experience.

2.   Biometric Verification

Biometric verification is a security layer that removes the need for verification altogether. It also replaces the use of passwords and other codes with biological measurements, like fingerprints and facial or voice recognition.

The downside is you can’t enforce biometric verification. You can suggest it and encourage users to choose it, but the rest is up to them. Plus, in some instances, like filling out a form, biometrics don’t always have their place, as users don’t have to be logged in.

3.   Precheck

Precheck from HUMAN makes a bot or not decision just as a users’ first request reaches the edge of the page. The indication that the user receives is displayed in the form of a brief splash page that features a (customizable) animation.

Because Precheck blocks at the first request, it is extremely good at detecting web scrapers, a task that is otherwise tedious as it takes only one single request for bots to scrape content.

Technology has evolved to the point that bot detection systems don’t have to be interactive. These tests can run in the background:

1.   Behavioral Analysis

With behavioral analysis, you’re looking at a person’s activity on your website to determine whether they’re human or a bot. This approach is based on the idea that humans have certain patterns that set them apart from bots.

Things you can look at include:

• Mouse movements, analyzing the trajectory, speed, and acceleration of the mouse.
• Keyboard interactions, monitoring the timing, and the pauses between keystrokes.
• Scrolling behavior, looking for a visitor’s rhythm, and pauses.

People tend to be non-linear, may pause more often or at irregular intervals, and can have varying speeds when typing.

2.   Honeypot Technique

The honeypot technique involves using an anti-spam honeypot to misguide malicious bots. For instance, a form could have an extra field that is hidden from humans through JavaScript code, but visible to all bots. If a form is submitted with the hidden field filled out, it will be ignored.

The main downside is that they could be confusing for people using a screen reader, as those apps might pick up the hidden fields.

Consider User Experience

CAPTCHAs are not  ideal for the user experience — they frustrate users and lead to page abandonment. To ensure your CAPTCHA solution has as little of a negative impact as possible, consider layering detections so that not every user gets a CAPTCHA. For this to effectively work, you’ll need to ensure your margin of error is as low as possible. Sometimes, a real person may be mistaken for a bot, but the occurrence of such mistakes should be under 0.1%.

Consider Privacy Concerns

Don’t forget about privacy regulations. Some CAPTCHA solutions may collect personal data. Depending on your jurisdiction, you may need to take additional measures to ensure compliance, or simply ensure you use a solution that’s compliant with all privacy regulations.

Test and Monitor Performance

Bad actors and threats evolve all the time and so should your security measures and CAPTCHA solutions. Start by monitoring its effect on your visitors.

Are you noticing a higher bounce rate, abandoned carts, and other issues that could signal people are having a poor user experience? You might need to think outside of the box when it comes to bot detection.

Human Challenge bot detection is fast and straightforward, ADA compliant, and ready-to-install. Book a demo today and see why the largest global platforms trust HUMAN.

Why CAPTCHA isn’t enough

What does CAPTCHA mean? | How CAPTCHAs work

The fraud/friction tightrope: CAPTCHA

Human Challenge: the frictionless CAPTCHA