Security

CAPTCHA

Security mechanism to tell humans and bots apart – from distorted text and image puzzles to invisible behaviour analysis.

CAPTCHAs are the bouncers of the internet: they decide whether a human or a bot gets in. The technology has evolved – from unreadable character puzzles to invisible behaviour analysis. The challenge is to block bots without frustrating real users.

What is CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart – an automated test that distinguishes humans from bots. CAPTCHAs protect sites from automated abuse: form spam, brute-force logins, ticket scalping and scraping. The tech has moved from distorted text (classic CAPTCHA) and image recognition (reCAPTCHA v2: traffic lights, crosswalks) to invisible behaviour analysis (reCAPTCHA v3, Turnstile).

How does CAPTCHA work?

Modern CAPTCHAs like reCAPTCHA v3 and Cloudflare Turnstile work invisibly: they analyse behaviour (mouse movement, scrolling, typing, browser fingerprint) and assign a risk score (0.0 = bot, 1.0 = human). A visible challenge is shown only when the result is unclear. Older versions (reCAPTCHA v2) show the familiar image challenges (identify traffic lights, buses, etc.). Honeypot fields are an alternative: invisible form fields that only bots fill in.

Practical Examples

Contact form: reCAPTCHA v3 protects the form invisibly – users see nothing, bots are blocked.

E-commerce: Turnstile protects checkout from bots on limited-edition products.

Registration: hCaptcha is used at sign-up to prevent fake accounts.

Typical Use Cases

Forms: Protecting contact, registration and comment forms from spam bots

E-commerce: Protection from automated purchases and inventory hoarding

API protection: Rate limiting and bot detection for public APIs

Advantages and Disadvantages

Advantages

Effective protection from spam, brute force and automated abuse
Invisible CAPTCHAs (v3, Turnstile) barely affect user experience
Easy to add: a few lines of code with common providers
Free options available (reCAPTCHA, Turnstile Free, hCaptcha)

Disadvantages

Accessibility: Image CAPTCHAs are problematic for users with visual impairments
Frustration: Complex image puzzles annoy users and increase bounce
Privacy: reCAPTCHA sends data to Google (GDPR-relevant, consent needed)
AI progress: Advanced bots can solve many CAPTCHAs automatically

Frequently Asked Questions about CAPTCHA

Is reCAPTCHA GDPR compliant?

reCAPTCHA v3 sends user data (IP, cookies, behaviour) to Google in the US. Several data protection authorities say this requires active consent. More GDPR-friendly options: Cloudflare Turnstile (EU servers), hCaptcha, or server-side bot detection without third-party cookies.

What is the best CAPTCHA alternative?

Cloudflare Turnstile is modern: invisible, privacy-friendly and free. Honeypot fields (invisible fields only bots fill) give simple protection without frustrating users. Time-based validation (form must be open for X seconds) filters fast bot submissions. Combining several methods gives the best protection.

Do CAPTCHAs hurt conversion?

Visible CAPTCHAs (image puzzles, checkbox) can reduce conversion by about 3–12%. Invisible CAPTCHAs (reCAPTCHA v3, Turnstile) have little or no measurable impact. Recommendation: use invisible where possible and show visible CAPTCHAs only as fallback when behaviour is suspicious.

Want to use CAPTCHA in your project?

We are happy to advise you on CAPTCHA and find the optimal solution for your requirements. Benefit from our experience across over 200 projects.

Learn more Get free consultation

Back to IT Glossary