WP Do CAPTCHAs work and what's the alternative? | Imperva

Do CAPTCHAs work and what’s the alternative?

Do CAPTCHAs work and what’s the alternative?

We know you’re busy, so the answer is “No”. Users want less friction, and a good bot detection and mitigation solution will do the job MUCH better.

The first lesson on the first day of UI school is that users want the path of least resistance. While the gamification of cybersecurity does have a certain appeal, and CAPTCHAs do work for a simple bot, it’s still an unnecessary resistance when all your customers want to do is open an account on your website to make a purchase.

CAPTCHAs are a popular (if somewhat misguided) tactic for mitigating bad bot activity. A CAPTCHA is a valid obstacle that will block automated traffic in some cases, but CAPTCHA solutions can create confusion and friction among users with some textual and numerical CAPTCHAs demanding upper and lower-case answers, while some don’t care. They’re also difficult to see if you’re even slightly visually impaired – I only have varifocals, and they’re still a pain – and if those people who manage websites can’t read the security checking tool there must be something fundamentally flawed with the system. No wonder they are such a killer for bounce and conversion rates.

Most users don’t understand why they have to complete a CAPTCHA, and to the more savvy user CAPTCHAs don’t even feel like protection. Their perception of CAPTCHAs is as dated ‘HTML-style’ solutions to modern problems, and these users have reduced faith in sites that use them to protect their data. To be fair this is justifiable, as CAPTCHAs don’t ‘technically’ work anymore. They offer little resistance to dedicated bots – the entire reason for a CAPTCHAs existence. ‘CAPTCHA farms’, where malicious actors and scalpers pay human workers to take CAPTCHA tests for $0.18 – $0.94 for every 1,000 CAPTCHAs solved, have been available to spammers for nearly a decade.

I have to be honest; I really don’t like the whole CAPTCHA approach – especially the versions containing grids of multiple or segmented images. As an Englishman, I have no idea if that’s a side-walk or a cross-walk in the picture, and a stop sign should say ‘stop’ to me (and isn’t a traffic light). Jam and jelly. Trousers and pants. Potato/patato. Imagine how people feel if US English is their second or third language…

Photo CAPTCHAs take a long time to complete compared to their numerical or text alternatives. I just want to buy some wood glue and Eco dishwasher tablets, not compete on a TV game show. Also, is it just me or does being asked if I’m a robot come over as kinda rude (maybe that’s just the English thing again)? Especially as we all know CAPTCHAs are now used for training AIs.

It’s not all squiggly words and blurry pictures. Technically, asking people to sign in with their social media accounts (Facebook, Google, whatever) is still a CAPTCHA – though this isn’t trusted by users who are justifiably becoming more and more protective of their personal information. Some CAPTCHA are time-based or examine mouse movements and how/where we click for allegedly robotic behaviors. Honeypot CAPTCHA worked for a little while – in which they trick a bot into filling out invisible fields in a form that users can’t see – but they were soon circumnavigated by black hat hackers and their malicious programs. As cyber threats become more and more sophisticated there are bot workarounds for all of these methods, making them essentially redundant.

CAPTCHAs are one of the ways to combat bots, but there are more sophisticated ways of doing it that are more comprehensive and provide no friction to the user – such as machine learning models. CAPTCHAs are ok on login pages that are being pounded by credential stuffing, but bad in the shopping cart.

Putting it simply, block bots, malicious applications, and nefarious addresses automatically with an appropriate bot detection and mitigation solution – don’t block genuine users. Use a system that’s painless and seamless to the customer, offering an enterprise security team zero friction and clear visibility over human, malicious bot, and good bot traffic. Employ a genuine fix where you can view threats by the country, organization, and traps, then block devices, IPs, and/or competitors. Use a real working resolution around CAPTCHA farms and bots without putting that responsibility on the people who just want to buy your products with minimal interference and as few clicks as possible.

Our own bot detection and mitigation solution is flexible and adaptable, blocking potential problems in real-time and automatically mitigating all of the OWASP automated threats, directly out of the box. We develop security products for security teams, so you won’t be swamped with false positives – and we can prove our accuracy claims with a false positive report showing CAPTCHAs served, attempted, and failed.

Oh, did we also mention that right now you can get a free no-obligation trial of our Advanced Bot Protection, Cloud WAF, DDoS, CDN, and more?

Life’s complicated enough. Vive la path of least resistance.