What is a CAPTCHA?
CAPTCHA is an acronym that stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It is a type of challenge–response test used on websites across the internet to determine whether a user is a human or a bot.
How do CAPTCHAs work?
CAPTCHAs work by presenting tests that only humans can solve. Users are given tests at login, checkout and other key checkpoints — places where website owners are especially concerned with only allowing real humans to proceed. Because some bots can't process distorted letters, blurry images and other recognition-based information, only real humans are able to pass the test and go on to complete the desired action. If a CAPTCHA is not passed successfully, the website owner can be fairly certain that the user is a bot and prevent it from moving forward.
Types of CAPTCHAs
CAPTCHAs come in four standard types: text-based, image-based, audio and math.
This is the standard CAPTCHA, which presents a sequence of blurred and distorted letters and numbers against an off-white or colored background. The user must type the correct character sequence into the text field in order to pass. Alternative versions of text-based CAPTCHAs might use special characters, eliminate the white space between the characters or use characters of varying shapes, sizes and colors. This makes it harder for bots to solve the puzzle because they are unable to understand and recognize the variance in the characters the same way a human would.
These present a series of images of common scenes, such as highways, parks or city streets. Users are asked to select only the pictures that contain certain objects, like buses, bicycles and crosswalks. In a more advanced version, an image of the same picture may be shown in different orientations. For example, a picture of a dog appears at different angles, and the user has to pick the image with the dog positioned upright. Image recognition is harder for bots than text recognition, and blurry images frustrate the bot’s recognition techniques. And image-based CAPTCHAs look for users that respond how a human would — which might not be the technically correct answer.
Some CAPTCHAs can be presented with an audio reading of the numbers or text rather than an image. This makes CAPTCHAs accessible to the blind, colorblind and sight-impaired. The user opts for the audio test, listens to it and types in the text they hear.
Math CAPTCHAs present a fundamental equation for the user to solve. For example, an image displays the problem “18 + 5 =?” for users to solve. The user then types in the number 4 and clicks the button to continue. Math CAPTCHA technologies typically generate a new random equation on each visit to the page and each time the visitor fails to submit the correct answer. This technique keeps bots from learning a single right answer.
What are CAPTCHAs used for?
The purpose of CAPTCHAs is to identify malicious bots, so website owners can stop them from logging into an account, completing a financial transaction, opening a new account or executing another sensitive activity. Bots are used in a wide range of cyberattacks, including account takeover (ATO), credential stuffing, carding, inventory hoarding and scalping, and web scraping. Using a CAPTCHA can be an effective way to weed out bad bots before they can wreak havoc on your site.
While CAPTCHAs are built to stop internet bots, they may also be used to gather data to inform future automation technology. Although this is not confirmed, it is suspected that the data gathered from CAPTCHA and reCAPTCHA is used to train self-driving cars to recognize objects that they might encounter on the road. If today’s CAPTCHAs are in fact designed to serve thise other purposes, it suggests that user experience might not be the primary goal behind their deployment.
Advantages and Disadvantages of CAPTCHAs
Although CAPTCHAs can enhance your site security and block some bots, they do have some significant disadvantages.
- Ineffective against sophisticated bots – Cybercriminals increasingly use CAPTCHA-solving bots and CAPTCHA farms to pass tests. This renders CAPTCHAs largely ineffective.
- Lower conversion rate – The more work users have to do to respond to the CAPTCHA, the more likely they will abandon the site altogether. This negatively impacts your website traffic, conversion rate and revenue.
- Negative user experience – CAPTCHAs can be frustrating to interpret and solve. This causes a negative consumer experience and drives abandonment. Users who have issues with a CAPTCHA may contact customer support, which requires internal resources from your team.
- Don’t support all browsers – Not all CAPTCHA technologies support all browsers, so not every CAPTCHA works for every user.
- False positives – CAPTCHAs have an 8% failure rate for human users. That number jumps to 29% if the text is case-sensitive. False positives lock out legitimate consumers who otherwise would have gone on to engage with your site.
- Inaccessible – People with poor eyesight, reading difficulties or hearing disabilities may have difficulty solving CAPTCHAs. If diabled people are blocked due to inaccessible CAPTCHAs, discrimination lawsuits may follow.
The idea behind CAPTCHAs isn’t bad, but the challenge-response approach needs to evolve for the modern era. And no, this doesn’t mean making challenges harder and harder until all users get so frustrated that they abandon your website. Instead, new technologies have emerged to replace traditional CAPTCHAs. Here are key capabilities to look for:
- User-friendly – Presents an easy-to-solve, single-step challenge that won’t frustrate users and drive abandonment.
- Accurate – Blocks bot traffic with few false positives and false negatives. Has strong anti-tampering mechanisms to detect and deter CAPTCHA-solving bots and CAPTCHA farms.
- Behind-the-scenes detections – Leverages techniques like invisible challenges, fingerprinting, identifying device capabilities, tracking user interactions and Proof of Work (PoW) to identify bots “behind-the-scenes” — without impacting user experience.
- Scenario-optimized – Only serves challenges to risky profiles, so most humans won’t be given a test. Dynamically adjusts difficulty based on device and risk profile.
- Accessibility – Accessible and solvable by people with disabilities.
How Does PerimeterX Use CAPTCHAs?
Instead of a traditional CAPTCHA, PerimeterX uses an alternative tool: PerimeterX Human Challenge. Human Challenge is a user-friendly verification that presents a visual challenge to differentiate humans from bots on web and mobile apps. This tool makes verification less frustrating and more human, which reduces abandonment rates and improves conversions while maintaining high accuracy. In fact, solve times for Human Challenge are 4-6x times faster than reCAPTCHA, and abandonment rates are 3-5x times lower. Users simply “Press and Hold” — and PerimeterX will do the rest.