“I’m not a robot” seems like it should be the easiest thing in the world to prove. But if you’ve ever found yourself squinting over a CAPTCHA, trying to pick out photos of crosswalks, you know it’s not as easy as it sounds.
CAPTCHAs are designed to guard websites against harmful bots. When they’re properly employed, they’re a useful defense against spam and fake accounts. But CAPTCHAs (and the bots themselves) have become so sophisticated that the tests can end up stymying human users.
The growing consensus is that web designers need to provide the right kind of CAPTCHA and use it only under specific circumstances. Otherwise, CAPTCHA comes at a cost to user experience (UX) and accessibility.
Here, we’ll dive into how CAPTCHA evolved to its current state and discuss what we can do to increase its usefulness and decrease its frustration.
The Evolution of CAPTCHA and UX
To understand the tension between CAPTCHA’s security goals and UX, you first must understand its (surprisingly fascinating!) origins and evolution.
The term CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. This rather tortured acronym references Alan Turing’s famous Turing Test: our ability to gauge the sophistication of artificial intelligence based on a human’s ability to differentiate a human from a robot.
CAPTCHA was created in the early 2000s to combat the epidemic of bots that were spamming early search engines and clogging the internet. Credit for its invention is disputed, but researchers at Carnegie Mellon University certainly pioneered its use. The original CAPTCHA took the form of text warped past the point that computers could decipher while still being (mostly) legible to human beings. The challenges also served as gatekeepers for all users of a particular webpage, instead of being presented to only suspicious users. There were early concerns that the technology presented accessibility challenges, but people soon became accustomed to the little checkbox that proved their humanity.
Putting CAPTCHA (and users) to work
Soon, CAPTCHA’s developers realized that the technology could be used for something more useful than just making users translate meaningless distorted text. They developed reCAPTCHA, which put users to work digitizing the New York Times archive since humans could decipher the distorted letters in old newsprint better than computers. In 2009, Google bought reCAPTCHA and put it to work digitizing Google books.
Then, in 2013, Google introduced the image recognition version of CAPTCHA, using photos from Google Street View. They used this image identification data to train their artificial intelligence to be able to recognize objects more effectively. The more the AI learned, the fewer advantages humans had, so, in effect, Google trained CAPTCHA to render itself obsolete.
By 2014, one of Google’s machine learning algorithms had a 66% higher success rate at solving text CAPTCHAs than humans, which meant it was time for another evolution.
CAPTCHA version 3: rise of the machines
Next, Google transitioned to “No CAPTCHA reCAPTCHA,” which, according to them, “uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on your website.” While Google is, as always, secretive about the inner-workings of its bot-detection algorithm, this approach was still a big step forward in employing CAPTCHA only for traffic that appears suspicious.
New types of CAPTCHAs have proliferated in recent years, such as math problems and word problems and forms of CAPTCHA that feel more like games. This variety of CAPTCHA code has helped keep the technology alive since hackers can’t just program a single script that will work on every web page.
Despite attempts to gamify CAPTCHA, many users (and developers) still view it as an annoyance.
The Pitfalls of CAPTCHA for UX
Throughout its existence, CAPTCHA has been a polarizing technology because, if poorly implemented, it can be both frustrating and ineffective.
The first issue with CAPTCHA is accessibility. Early CAPTCHA was a nightmare for people with visual impairments, who couldn’t read the warped characters on the screen. Developers soon added audio CAPTCHA so users could hear the letters instead, but accessibility concerns remained. For example, a 2016 study found that users with learning disabilities had more difficulties and a more negative attitude toward CAPTCHA tests.
Then there’s the problem of frustration. As CAPTCHA challenges have become more complex in order to throw off bots, they’ve become increasingly time- and labor-consuming for users.
Another 2016 study compared different types of CAPTCHAs. They found that text-based challenges were the most frustrating for users, and math tests had the lowest success rate, and while picture identification and games ranked highest for UX, they also took the longest. Ultimately, they concluded that “none of the existing tests are ideal.”
Finally, there’s the issue of efficacy. CAPTCHA has a net positive impact on UX only if it actually works at providing a less spammy internet experience for everyone. But sophisticated bots are increasingly capable of solving CAPTCHA puzzles. In addition, “CAPTCHA farms”—in which spammers pay human workers to take CAPTCHA tests for pennies—have been around for years.
To be fair, it’s immensely challenging to devise a test so universal that any human can pass it. Professor Jason Polakis explained the conundrum to The Verge: “You need some type of challenge that works with someone from Greece, someone from Chicago, someone from South Africa, Iran, and Australia at the same time. And it has to be independent of cultural intricacies and differences. You need something that’s easy for an average human, it shouldn’t be bound to a specific subgroup of people, and it should be hard for computers at the same time. That’s very limiting in what you can actually do.”
Making CAPTCHAs Work for Everyone
For all its potential for misuse, CAPTCHA is still an important tool in bot defense. The key is to employ it only when a user’s behavior is suspicious, and they’ve been flagged as a potential bot.
There are multiple ways to determine this, some of which move beyond the realm of traditional CAPTCHA. For example, “continuous authentication” looks for physical cues in user interactions with web pages. Are they filling out web forms with superhuman speed? Are their cursor movements more precise than humans, with our imperfect motor skills?
Web developers can use this adaptive approach in conjunction with CAPTCHA tests. Auth0’s bot-detection feature constantly assesses risk by looking at every IP address interacting with a website and determining the likelihood that it’s a bot. It analyzes the behavior of this IP address across the internet and assigns it a reputation score. If that score is low, the bot-detection engine faces the user with a CAPTCHA. Auth0 tenants who enable this feature can choose from a generic CAPTCHA or use Google’s reCAPTCHA.
This type of use lets CAPTCHA work the way it was intended to, without creating needless obstacles for legitimate users.
In addition, it’s important to implement the right kind of CAPTCHA code: one that assigns tests randomly and doesn’t reuse the same solution. For that reason, it’s inadvisable for developers to write their own CAPTCHA script or use a free plugin without knowing its origins.
In the future, the pendulum may swing toward forms of CAPTCHA that identify humans not by our ability to outperform bots but by our tendency to make errors that AI would not. For instance, in 2017, Amazon patented the Turing Test via failure. This type of CAPTCHA presents users with challenging tests that humans tend to fail, and bots answer correctly.
Some websites also use honeypots, a form of CAPTCHA invisible to human users. This method inserts fields onto a screen that are visible only to bots, tricking them into filling out forms and proving they’re not human.
Finally, CAPTCHA shouldn’t be your only defense against bots. Social logins—which allow users to verify their identity via their social media account or another trusted identity provider—are another useful method to restrict website usage to actual human beings.
CAPTCHA Is Changing, but It’s Not Going Anywhere
As long as there are spammers trying to create fake accounts, there will be a need for technology that separates human users from spambots. Because of that, some form of CAPTCHA technology will always exist, evolving in parallel with AI.
The CAPTCHA of the future probably won’t look anything like the “find the street sign” challenges of today. But for now, these simple tests are still part of a smart bot-detection strategy. Website designers who employ CAPTCHA need to be open to this evolution and always employ the technology thoughtfully to ensure they’re not punishing their human users.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.