You are searching for fares and hotels on a discount travel site and you finally find some great deals. Now you need to create an account and buy tickets. But you can’t. Why? CAPTCHA -- the super annoying grids of images that pop up and demand you select which ones contain a traffic light, a lamp, a dog, etc. These visual roadblocks are increasingly too hard for humans to solve. If you guess wrong, you start again. Or you may decide to simply ditch the site and look elsewhere. In some cases, it may even get philosophical and tackle the treachery of images like this CAPTCHA pondering whether a road sign of a bicycle actually is a bicycle.
Hard-to-understand (and solve) puzzles are a major pain point for online companies and can even affect sales and engagement.
We know from decades of research that even small barriers that buyers encounter will increase abandonment. But this problem is growing worse. The newest CAPTCHAs have gotten so hard for humans that the frustration level has likely reached a boiling point. The upshot? It’s now time to rethink wholesale CAPTCHA use and strategy or you will risk losing more and more sales as users get angry with harder and harder puzzles, many of which are errantly applied.
A Quick CAPTCHA History
A CAPTCHA is a security mechanism and test designed to stop automated attacks by requiring human-like mental capabilities. The term CAPTCHA is short for "completely automated public Turing test to tell computers and humans apart." Invented in 1997, the original CAPTCHAs primarily required a user to decode letters from a distorted image. As bots proliferated and gained capabilities to fill out forms (and try to log into websites in brute force attacks), more and more security and web operations teams inserted CAPTCHAs into their user experience to diminish the load on their servers and protect themselves from malicious bots.
Today, the vast majority of e-commerce and travel sites require some sort of CAPTCHA to perform specific, more sensitive tasks for a significant percentage of users. There are multiple types of CAPTCHAs -- they can ask users to decode blurry text, determine which parts of a picture contains a tree or a traffic light, solve a simple math problem or comprehend a word against a field of noisy audio.
Why Today’s CAPTCHAs Make Things Worse, Not Better
For nearly a decade, CAPTCHAs worked pretty well, even if people hated them. Although, truth be told, even from the beginning, CAPTCHAs created friction for users. According to a 2010 research paper published by Stanford scientists, the average person needed 10 seconds to solve the first-generation CAPTCHA. This is an eternity in the world of online shopping, particularly on mobile devices. What’s more, it’s likely that recent versions of CAPTCHAs take even longer for humans to solve due to their enhanced complexity.
Over time, the original CAPTCHAs became easy to solve for bots equipped with image processing software. To counter the growing capabilities of the bots, the makers of CAPTCHA services began gradually increasing the difficulty of the challenges, ultimately escalating to visual processing challenges that are hard for real humans to solve. In 2018, the Baymard Institute, which performs UX research, estimated that users fail to solve text-based CAPTCHAs roughly 8% of the time. That bumps up to 29% if the CAPTCHA is case-sensitive. Furthermore, there are reports that claim artificial intelligence (AI) systems are better than humans at solving CAPTCHA-like tasks, which are, after all, pattern recognition tasks perfectly suited to AI.
The reality is that bot network operators can already apply a nuclear option -- they can leverage humans to solve CAPTCHAs via Amazon’s Mechanical Turk and other “human intelligence task” platforms. Today, CAPTCHA solving services powered by humans are common, out in the open and even offer API access.
How Today’s CAPTCHAS Are Hurting Online Sales
Anything that interrupts a user’s experience will drive abandonment. This is true for making a purchase, logging into a site or posting a review -- all of which are desirable behaviors from real users. But in an era of cheap computing and powerful open-source AI, humans will soon be far worse at solving CAPTCHAs than machines. At the same time, more challenging CAPTCHAs also go against a core UX principle: make the user’s experience smoother, faster and better, not more disjointed, slower and worse. Additionally, it’s not practical to apply CAPTCHAs to every page. This means bots can freely roam over large portions of a site.
Many experts in website conversions also think CAPTCHAs do more harm than good. Research by SEO firm MOZ found that, while CAPTCHAs reduced bot-driven submissions to website forms by 88%, the puzzles discouraged viable shoppers at such a rate that sites using CATPCHAs saw a 3.2% decline in good conversions.
So what can you do? You can run A/B tests month over month to see if CAPTCHAs help or hurt. Additionally, site reliability engineers and web operations teams should consider better ways to stop attacks. A number of technology services can accurately identify bot traffic before it hits your page based on criteria that might include user behavior, browser fingerprint, IP address reputation, network location and more.
Rather than apply CAPTCHA to every visitor, site operators should only force a CAPTCHA when they are pretty sure a query is from a bot and not a live human. Even then, it’s important to watch for signs that you are annoying users, such as increases in shopping cart abandonment or drops in reviews or log-ins. Yes, allowing bots free rein on your sites can wreak havoc. But sometimes the cure is worse than the disease, and as each generation of CAPTCHAs grows harder, their value diminishes and their risks increase, you should look for a new type of medicine.