CAPTCHAs are meant to help distinguish between humans and bots by creating challenges that are easy for humans and hard for bots. In reCAPTCHA, this typically means challenges which require selecting certain kinds of objects, such as street signs, from a collection of images.
Before you consider using CAPTCHAs as a way to protect against automated attacks, it's important to be aware of the caveats.
- CAPTCHA challenges require user interaction, which increases friction and may decrease conversation rates.
- Due to the advances in computer vision and machine intelligence, CAPTCHAs are becoming less and less useful to distinguish between humans and bots.
- CAPTCHAs are also under threat from humans, paid by an attacker and able to solve all types of challenges. These sorts of attacks are only possible to slow down by showing challenges, but can be detected and stopped with the score.
- Accessibility is also a concern with any type of CAPTCHA. reCAPTCHA provides
a variety of accessible options but some users may have difficulty
regardless. The best way to create an accessible experience for your product
is to use a
Protecting an action with a CAPTCHA does provide value. It is extremely simple to add CAPTCHA-based protection to your site, and there is some cost for an attacker to break this protection.
In order to show CAPTCHAs to your users, you must use a
Key configured with
CHECKBOX integration type. This will show the classic "I'm not a robot"
checkbox, possibly followed by a CAPTCHA challenge.