In a world where bots have outnumbered humans, CAPTCHA solutions have become the standard approach to keep your apps and users safe from automated attacks. These tools require users to solve straightforward puzzles or tests, thus verifying their human identity and ruling out bot activity.

For a developer, incorporating a CAPTCHA is relatively straightforward, and most of them follow a similar API interface. Therefore, once you've integrated one CAPTCHA solution, switching to another vendor is often a low-touch exercise.

Interestingly, the primary strength of a CAPTCHA isn't necessarily associated with its long-term efficacy in hindering bots through puzzles. Its real power often lies in the inconvenience it inflicts upon potential attackers who have yet to devise a bypass, regardless of puzzle complexity. The introduction of a new CAPTCHA system necessitates that attackers reconfigure their bots, an undertaking requiring time and resources. This constant need for adaptation often serves as a formidable deterrent.

But, as a developer encountering your first wave of bots trying to register or log into your application, which CAPTCHA should you opt for?

In this guide, we'll delve into five prevalent CAPTCHA solutions, giving you an overview of their unique features, strengths, and shortcomings. This insight will arm you with the information you need to choose the right CAPTCHA solution for your application's specific requirements and help you effectively combat the ever-increasing bot traffic.

I also touch on how Castle’s rules engine can provide granular control over the delivery of specific CAPTCHAs, in addition to Castle’s Lists feature that enables the system to recognize devices that have already completed a CAPTCHA.

The Top 5 CAPTCHAs

Google reCAPTCHA

Price: Free up to 1 million calls per month. Then $1 per 1,000 calls for Enterprise.
Documentation: https://developers.google.com/recaptcha/intro
Demo: https://www.google.com/recaptcha/api2/demo

Google reCAPTCHA is arguably the most recognizable CAPTCHA system in use today, often serving as the first line of defense developers adopt when bots start infiltrating their web forms.

Originating from a system that required users to decipher challenging texts or match images, reCAPTCHA has evolved significantly over the years. By its second version, it had incorporated the analysis of cookies and canvas rendering to identify automatic page downloads. However, since the inception of version 3, reCAPTCHA has strived to be less intrusive, operating automatically when users load pages or click buttons.

In 2013, a substantial shift occurred when reCAPTCHA started implementing behavioral analysis of browser interactions to predict whether a user was human or a bot. This strategy was further refined with the introduction of the "no CAPTCHA reCAPTCHA" in 2014, where low-risk users could simply verify their identity by ticking a box, along with a new, mobile-friendly CAPTCHA challenge. By 2017, Google had introduced the "invisible" reCAPTCHA, which performs background verifications for low-risk users without presenting any challenges.

0:00

Despite its popularity, Google reCAPTCHA has faced criticism and competition. Given Google's vested interest in the advertising industry, concerns about user data privacy have led some significant organizations to switch their CAPTCHA providers. Furthermore, the introduction of a cap of 1 million calls per month has compelled larger organizations to opt for the paid Enterprise version, thereby opening the field for competition.

hCaptcha

Pricing: Free. Premium plans available with more features.
Documentation: https://docs.hcaptcha.com
Demo: https://accounts.hcaptcha.com/demo

Over the past few years, hCaptcha has emerged as a notable contender in the CAPTCHA landscape, acclaimed for its dedication to data privacy and sovereignty, as well as its free availability. Its introduction sparked a significant shift in the CAPTCHA market, setting the stage for further innovations such as Cloudflare's Turnstile, which we will discuss in the next section.

The shift toward hCaptcha was largely precipitated by Google's decision to initiate charges for reCAPTCHA in 2020. This move compelled Cloudflare, a major consumer of CAPTCHA services, to explore alternative, cost-effective and privacy-centric options. This exploration culminated in the adoption of hCaptcha, a decision driven by concerns about Google's potential misuse of user data collected through reCAPTCHA and the escalating costs of the service.

hCaptcha brought a fresh approach to the table. Unlike reCAPTCHA, hCaptcha compensated website owners with a small fee whenever their visitors completed CAPTCHAs. This model was a stark contrast to reCAPTCHA, where users' efforts inadvertently aided Google's machine learning projects, a point that had drawn criticism.

Nonetheless, the transition to hCaptcha was not entirely seamless. Despite hCaptcha's significant privacy advantages, some users found its CAPTCHAs more challenging to solve compared to reCAPTCHA's, possibly due to the high familiarity and comfort level with Google's puzzles. Consequently, any deviation from these puzzles can be somewhat confusing for users.

0:00

In this example, the user must comprehend the context of an animal wearing glasses and then select the corresponding images. This multi-step cognitive process can make the task more challenging compared to a straightforward 'identify the fire hydrants' prompt.

Cloudflare Turnstile

Pricing: Free up to 1 million calls per month. Then upgrade to their Enterprise plan.
Documentation: https://developers.cloudflare.com/turnstile/
Demo: https://demo.turnstile.workers.dev/

Building upon its experiences with hCaptcha, Cloudflare further advanced the CAPTCHA arena with the introduction of Turnstile, a privacy-centric CAPTCHA solution tailored to user experience. Turnstile represents a leap in CAPTCHA evolution, combining the learnings from previous iterations while pushing the envelope on usability and data privacy.

One of the critical issues with previous CAPTCHA solutions, including hCaptcha, was the balance between security and user experience. Many users found CAPTCHAs cumbersome and challenging to solve. This is where Turnstile took a different approach.

Turnstile is designed to be simple and intuitive. Rather than confronting users with difficult-to-decipher text or intricate image matching tasks, it asks users to complete a straightforward task — rotate an image to its upright position. This approach makes it not only user-friendly but also language-independent, significantly enhancing accessibility for users worldwide.

0:00

In this example, the user isn't required to pass any additional challenges, showcasing Turnstile's user-friendly approach. However, security researchers (albeit potentially biased in this article) suggest that modern browser automation frameworks can more easily bypass it.

On the privacy front, Turnstile pushes the boundaries further than hCaptcha. It operates without collecting or processing personal data, making it a genuinely privacy-preserving CAPTCHA. Turnstile achieves this by executing all necessary computations within the user's browser, ensuring that no personal data is sent or stored on Cloudflare's servers.

As for implementation, Cloudflare has made it simple for website administrators. They only need to add a few lines of code to their site to deploy Turnstile. It can be used as a standalone CAPTCHA solution or in conjunction with other systems like hCaptcha or reCAPTCHA.

Turnstile signifies an exciting development in CAPTCHA solutions. By prioritizing user experience and data privacy, it stands as a promising choice for web administrators seeking a modern, privacy-preserving CAPTCHA solution. As CAPTCHA technology continues to evolve, innovations like Turnstile highlight the possibility of providing robust security without compromising user experience or privacy.

Arkose Labs

Pricing: No free plan. Exclusively a commercial solution targeting larger businesses.
Documentation: https://developer.arkoselabs.com/docs
Demo: https://client-demo.arkoselabs.com/solo-animals

Arkose Labs, a commercial CAPTCHA provider, emerges as a compelling option for those seeking heightened, customized security solutions. Drawing on its proficiency in thwarting digital fraud, Arkose offers a cutting-edge CAPTCHA service primed for superior protection.

Their unique offering melds CAPTCHA technology with risk analysis, generating adaptable challenges that shift based on the detected risk level of incoming traffic. This dynamic, risk-responsive strategy improves the user experience for genuine users while creating a stiffer barrier for bots. Thus, low-risk traffic encounters a simpler challenge, while high-risk traffic faces more intricate hurdles.

0:00

This example represents an earlier yet still widely used version of Arkose's challenges, where users must orient an animal image upright. While this task is typically simple for humans, it can occasionally become challenging to interpret the image content depending on its difficulty.

One standout feature of Arkose Labs is their committed support and consistent service enhancements. In contrast to free CAPTCHA solutions, Arkose extends dedicated assistance to businesses, guaranteeing a seamless implementation process and swift resolution of emerging issues. Additionally, as a commercial vendor, Arkose has the resources to persistently evolve their product, keeping stride with the swiftly advancing arena of bot technology.

Despite the accompanying costs, commercial solutions often exceed the capabilities of free alternatives in service quality and capacity. Arkose Labs, with its risk-tailored challenges, unwavering support, and continuous upgrades, embodies the comprehensive protection that commercial vendors can deliver. For businesses grappling with substantial bot threats or in need of customized security solutions, investing in a commercial CAPTCHA provider like Arkose Labs could prove invaluable.

Geetest

Pricing: Free trial, then commercial pricing (starting from $3,000/year according to GetApp)
Documentation: https://docs.geetest.com/captcha/overview/start/
Demo: https://www.geetest.com/en/adaptive-captcha-demo

Geetest's adaptive CAPTCHA system brings a tailored approach to its challenges similar to Arkose Labs. Rather than employing a uniform challenge, Geetest's framework adjusts the difficulty based on the assessed risk level of the traffic. As a result, genuine, low-risk users face more straightforward tasks, while high-risk or dubious traffic contends with more complex ones. Their methods encompass steps like device recognition, user behavior analysis, monitoring of large request volumes, and the use of learning algorithms that refine with time.

0:00

This example demonstrates the slider variant of Geetest challenges. While this task is often relatively straightforward for humans, it has become increasingly easier for bots to solve over time. Fortunately, Geetest offers a range of other challenge options to maintain robust security.

Geetest further distinguishes itself through its support for various platforms and its global server network, promising stable and fast service irrespective of user location. This worldwide reach and compatibility with diverse platforms render it an appropriate choice for businesses catering to an international customer base.

Similar to Arkose Labs, Geetest provides committed support and regular updates. These benefits simplify the process for businesses to implement and maintain their CAPTCHA solutions. The attention Geetest places on customer support and staying abreast with new technology trends underscores the advantages of commercial vendors in the rapidly evolving sphere of online security.

Noteworthy mentions

As the lifespan of many CAPTCHAs tends to be limited, fresh vendors continually surface in the market. Several relatively new solutions merit exploration, despite their yet-to-be-established prominence within the developer community.

Amazon CAPTCHA JavaScript API – As part of the internet giant Amazon's web services, this API offers reliable, scalable, and cost-effective CAPTCHA functionality that can easily integrate with other Amazon cloud-based services. This makes it a promising candidate for developers who already use AWS in their infrastructure.
Yandex SmartCaptcha – SmartCaptcha leverages Yandex's extensive experience in machine learning and artificial intelligence developed to protect their search experience to enhance its CAPTCHA challenges. This promises a continually evolving and effective solution against bots.
Lemin – Lemin offers an innovative CAPTCHA solution with a user-friendly focus. Its easy-to-use interface coupled with a free plan makes it an attractive option for developers starting on a shoestring budget. Their paid offering also shows promise for scaling up security needs.

While these are not as popular (yet), they are good to keep around as complementary CAPTCHAs that can be used in conjunction with your favorite picks. We'll delve into how to think about a multi-CAPTCHA approach in the next section.

Which CAPTCHA(s) Should I Use?

There exists a vast array of CAPTCHA solutions, each making its appearance and disappearance in its own time. The transient nature of these solutions arises from the virtual impossibility of developing a long-term solution to deter bots, since, theoretically, any challenge can be cracked. This becomes all the more apparent with the advent of AI and human-as-a-service models, such as 2Captcha.

One proven strategy involves rotating a set of CAPTCHAs, forcing attackers to perpetually retool their bots. Although not entirely foolproof, this tactic can secure valuable time in the ongoing battle against bots.

We recommend maintaining a collection of 2-3 distinct CAPTCHAs at your disposal. These can be rotated in a round-robin fashion, or if you prefer a more advanced approach, you could use a rules engine. This engine matches the choice of CAPTCHA to the sophistication level of the attacker, activating based on various request thresholds. Although this method calls for more initial setup and fine-tuning, it can significantly enhance your site's resilience against a wave of automated threats.

With Castle's rules engine, you gain granular control over the delivery of specific CAPTCHAs. For example, if a bot score from Castle exceeds 60, the system can automatically present a reCAPTCHA. On the other hand, if there's a sudden influx of logins from the same ISP, surpassing 10 within a single minute, an Arkose Labs puzzle can be triggered. See this tutorial on how to connect a CAPTCHA to the rules engine.

Moreover, Castle introduces the concept of Lists. This feature enables the system to recognize devices that have already completed a CAPTCHA. As a result, these devices won't be subjected to repeated CAPTCHA challenges, significantly improving the user experience. See this tutorial on how to use Lists to trust devices.