CAPTCHAs, automated public Turing tests to distinguish computers from humans, are now widespread on the web. They are designed to prevent spambots from spamming websites with unwanted content and provide a quick solution to the growing spam problem. However, CAPTCHAs are not without negative consequences, particularly in terms of user experience and conversions.
You've probably tried to access certain websites and been bombarded with a series of puzzles that require you to correctly identify traffic lights, buses or pedestrian crossings to prove you're human before logging in.
The fully automated public Turing Test to distinguish computers from humans, better known by the acronym CAPTCHA, is a technology designed to seamlessly protect a website from fraud and abuse. Puzzles are intended to ensure that only authorized users can access the website and that there are no automated interventions.
The robot countermeasure dates back to the 1990s and the acronym dates back to 2003, with the technology starting with a distorted series of letters and/or numbers.
Why are CAPTCHAs a nuisance?
Spam is bad, but CAPTCHAs are no better
With the rapid growth of the Internet at the end of the last century, spam became a nightmare for many websites. Webmasters were desperately looking for a solution to the spam problem and CAPTCHAs proved to be a quick answer. However, it quickly became clear that spambots and their creators were not as easy to fool as previously thought, and they soon found ways to bypass CAPTCHAs. Nevertheless, CAPTCHAs continue to filter some spam, justifying their continued use.
CAPTCHAs are a barrier to legitimate visitors
CAPTCHAs not only block spambots, but also act as a barrier to legitimate human visitors. Worse, they prevent search engine crawlers from accessing CAPTCHA-protected content. If content is only accessible after correctly entering a CAPTCHA, it is obvious that this content is inaccessible to search engines, which do not bother to fill out CAPTCHAs and simply redirect to the next, more inviting page.
CAPTCHAs and data loss
Poorly implemented CAPTCHAs can, in the worst case scenario, lead to data loss. Imagine a nearly unreadable CAPTCHA or a form that erases all entered data after a CAPTCHA error, forcing the frustrated user to start over. How many users will bother to fill out the form again, for example to complete a purchase?
CAPTCHAs affect conversions
CAPTCHAs are problematic from a usability perspective, and as previously mentioned, if they prevent search engines from indexing CAPTCHA-protected pages, they are also harmful to search engine optimization. But the real damage comes when you think about making changes. CAPTCHAs literally kill conversions, which is probably their biggest disadvantage when it comes to SEO.
Lost conversions are more harmful than spam. Spam can be irritating, but it doesn't hurt your business in the same way as lack of conversions. Although results vary from site to site, enabling CAPTCHAs can significantly reduce conversions. For example, a CAPTCHA on a newsletter signup form could cut the number of subscribers in half because many users won't even bother trying their luck with the CAPTCHA. On an e-commerce site, a CAPTCHA might save you from a few bad orders, but the number of frustrated customers will be much higher.
Difficult and illegible CAPTCHAs
In general, the more difficult and illegible a CAPTCHA is, the greater the decline in conversions. If you doubt this, experiment with CAPTCHAs of different difficulty levels on your website and note the results.
Standard CAPTCHAs, which require the user to enter letters and numbers, are the most acceptable, but remain a significant obstacle. Audio and video CAPTCHAs are particularly problematic, as listening or watching and completing them can take up to a minute of your time User can use. It's no wonder that audio and video CAPTCHAs have the highest abandonment rates.
Alternatives to traditional CAPTCHAs
As artificial intelligence and machine learning techniques advance, bots are able to bypass these tests with amazing ease. For example, some bots use optical character recognition (OCR) to read distorted letters or numbers, or image recognition to identify requested objects. Other bots exploit CAPTCHA errors or errors to invalidate or ignore them.
Given this situation, some websites have opted for alternative solutions to CAPTCHAs, such as Google's reCAPTCHA service, which analyzes user behavior in the background and only requests a test if the risk is high. Other websites have forgone CAPTCHAs and implemented other security measures such as email or SMS verification.
Regardless, there are several alternatives to traditional CAPTCHAs that can improve user experience while protecting websites from spambots. Here are some of the most interesting options:
- Motion CAPTCHA: Instead of entering letters or numbers, the user is asked to reproduce a simple drawing, such as a triangle or a canvas.
- Are you human: This system uses the principle of clicking and dragging in a small game, such as placing shapes in boxes or marking a basketball hoop.
- Ajax Fancy CAPTCHA: Another fun alternative that requires the user to place a specific shape in a circle.
- Picatcha: The user must select the correct items from several available options, such as barcodes or binoculars.
- Solve Media: Combines advertising with CAPTCHAs that require the user to enter a message about an ad.
- The honeypot: A hidden field is added to the form. If this field is filled during submission, it indicates that this is a bot.
- Akismet: A plugin for WordPress that automatically detects questionable comments and places them in the junk folder.
These alternatives aim to reduce user frustration while providing effective protection against spambots. They can be particularly useful for websites that want to ensure a good user experience without compromising security.
Should we avoid CAPTCHAs? Gartner's analysis
So let's get back to basics: Why do some companies like to use CAPTCHAs? Well, the logic is simple. If your bot detection solution thinks the user is a bot, you can block that user. But no solution is perfect. What if the user is not a bot? So you just blocked a good user. And so the CAPTCHA represents an opportunity, it represents the hope that if this is indeed a good user, they can prove it by solving the CAPTCHA and moving on.
Why do some companies hate CAPTCHAs? Well, the solution rate of (good) people on CAPTCHAs can sometimes be quite low, which prevents good users from continuing. Additionally, for good users who solve the CAPTCHA, it is often an annoying addition to the user experience. And malicious actors' resolution rates on CAPTCHAs can sometimes be quite high, although this is a nuanced point because in some cases the bots may have been trained to solve CAPTCHAs, but in other cases bots hand the session over to a human to complete the CAPTCHA solve, there is a thriving industry of human-fed CAPTCHA solving services. Typically, people living in low-income environments earn a pittance per CAPTCHA and solve thousands of them every day.
So should you use a CAPTCHA or not?
I think so. Just don’t use Google’s version of CAPTCHA “Select a street sign from this image matrix”. Nowadays there are many much more advanced CAPTCHAs like Arkose Labs, GeeTest or PerimeterX that have their own approaches and nuances but still do a better job than the dreaded Traffic Image Matrix. Given the pressure to reduce false positives at most digital commerce companies, giving users the ability to prove they are human, rather than just blocking them, is worth considering. However, in a world where bad actors use humans to improve bots, you need a CAPTCHA that's smart enough to detect when people are solving the problem a little too quickly – perhaps a sign that they're doing these things always solve again. Recognizing this, CAPTCHA should be dynamically made more difficult to discourage such activities and make them commercially unviable. Using a CAPTCHA also forces a controlled interaction with the user, allowing greater insight into the user and their humanity.
Do not use CAPTCHA as the default for all sessions. Rely on your bot detection provider to detect and block most bot traffic, and just use CAPTCHAs in the real gray areas where you're not sure how humanely I would expect. That's certainly less than 5% of all sessions.
And run A/B tests, split your traffic and CAPTCHA into a single segment and compare the results. Make decisions based on real data and metrics, not preconceived ideas based on outdated approaches like Matrix Traffic Image.
One last interesting thing on the side: Amazon filed a patent in 2017 for a new type of CAPTCHA that is easy for machines to solve, but presents a visual challenge that humans would normally do wrong, and so the process is undermined – human fallibility can actually be the future when it comes to defeating bots.
Diploma
Although CAPTCHAs were designed to combat spam, their impact on user experience and conversions can be devastating. It's important for webmasters to find a balance between spam protection and usability to maximize conversions and user engagement.
Source: Gartner
And you ?
What was your most frustrating experience with a CAPTCHA and how did it affect your perception of security on the web?
Do you think CAPTCHAs are a necessary evil for online security, or are there more user-friendly alternatives?
Have you ever canceled an online purchase or registration because of a difficult-to-decipher CAPTCHA?
How have CAPTCHAs affected conversion rates on your own website or those you frequently visit?
What innovative solutions could you suggest to balance the need for security and a good user experience?
Are audio and video CAPTCHAs really the solution for users with visual impairments or do they represent another obstacle?
How can web developers and designers better consider users' needs while protecting their websites from spambots?