Think Your Site Needs CAPTCHA? Try These User-Friendly Alternatives.

| April 9, 2014
Sign up to get weekly resources, and receive your FREE bonus eBook.
Thank you!

Get ready for some great content coming to your inbox from the team at UserTesting!

This post was updated on 12/3/14.


If you’re like most Internet users, you’ve been there before: you fill out a form on a website, and you’re faced with something like this:


Perhaps the most loathed of all Internet security measures, a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) attempts to weed out bots from legitimate users by presenting a test that is easy for a human, but difficult or impossible for a computer.

CAPTCHAs are a nice idea in theory. They’re meant to keep spam comments at bay and prevent bots from harvesting email addresses. They’re also very commonplace; according to Luis von Ahn, one of the creators of CAPTCHA, about 200 million CAPTCHAs are completed every day. But they present some serious user experience problems. We tested the CAPTCHA experience with our panel, and here’s what we learned:

3 UX Problems

1. They interrupt the user’s workflow.

They put one extra, irritating step between users and the tasks they want to accomplish. Plus, even the better versions can be difficult to read. The older version of ReCAPTCHA is one of the more well-known CAPTCHA generators out there. With the old ReCAPTCHA, users decipher scanned images of text from old books, allowing the books to become digitized. The advantage to the user is that the text is made of actual words, not random strings of numbers and letters. Nice idea, but the words can be tricky to make out, even if your vision is perfect.

Hard-to-read text can cause errors and slow you down even further.

Hard-to-read text can cause errors and slow you down even further.

2. They’re not accessible.

This brings up the second major usability problem: CAPTCHAs are excessively difficult for people with visual disabilities. Some offer audio alternatives, but those are often even harder to decipher (and pretty scary-sounding!)

3. They put the burden on legitimate users.

Beyond the usability and accessibility concerns, there’s a disturbing flaw at the core of the whole thing. The fundamental problem is that CAPTCHAs force humans to complete undesirable tasks because of issues that are beyond their control — and not their fault.

With CAPTCHA, website visitors are presumed guilty until proven innocent. [Tweet this.]

If you owned a brick-and-mortar store and wanted to prevent shoplifting and vandalism, you wouldn’t require all shoppers to pass a background check before setting foot in your showroom. That would be hugely inconvenient for your customers — and a disaster for your bottom line. Unless you offered something customers absolutely couldn’t buy anywhere else, they’d probably avoid the trouble altogether and shop with your competitors instead.

Alternatives to CAPTCHA

Easier and more enjoyable tests

Because completing CAPTCHAs is so unpalatable, several more user-friendly alternatives have popped up. Some of these, like PlayThru and Sweet Captcha, gamify the process of proving you’re a human.


While playing an easy game is more enjoyable than entering a string of text, the games are generally not accessible to users with visual impairments. If an option is available at all for visually-impaired users, it’s the scary, difficult audio CAPTCHA from before. What’s more, users are so accustomed to completing normal CAPTCHAs, gamified alternatives can be seen as annoying or juvenile.

I feel like it makes it look unprofessional. Maybe if it were a kids’ site, you might need animated CAPTCHA, but if anything, it’s more of a pain in the butt.
-raquelmelody, United States, member of UserTesting panel

Other alternatives are Text CAPTCHA and Egglue, which ask simple questions humans can answer using logic or intuition rather than pattern recognition alone.

NuCaptcha uses behavior analysis to assess each visitor’s risk level. Then it assigns easy or difficult CAPTCHAs based on how likely it is that the visitor is a bot. Visitors who behave like humans are given very easy tests to complete.

The downside of these options is that they still disrupt the user’s workflow. While they might be less frustrating, they still create a barrier between the user and their goal.

Honeypots

Honeypots are traps made to catch bots without ever being noticed by human users. The most common example is the hidden form field. With this solution, an extra field is included in the web form and then hidden from human users with JavaScript or CSS. Bots, however, will still “see” the field and fill it out. If the field is filled out, the form is automatically rejected.

This solution isn’t perfect, though. Visitors who use screen reader software will still encounter the field, creating more confusion and increasing the chances they’ll fail the test. To work around this problem, you could label the form field something like, “Leave this field blank,” but this is still likely to confuse users.

Verified sign-in

Another option for confirming visitors are human is to require them to sign in with an account such as Facebook, Twitter, or Disqus. (We use Disqus for comments on the UserTesting blog.) This solution is popular for blogs because it includes the side benefit of removing the anonymity that mean-spirited users rely on when they leave rude or offensive comments. Tying comments to a social account adds a level of responsibility that discourages trolls.

The obvious problem here, though, is that not all users have the required social account. This can be mitigated by using a service like Janrain or Gigya that allows users to choose from a wide variety of accounts to log in with, rather than just one or two.

Janrain gives users multiple sign-in choices.

Janrain gives users multiple sign-in choices.

But there’s still one problem remaining: many users aren’t comfortable using their social account information to log into an unfamiliar website. They might be concerned that this is an invasion of privacy, or that the website will post updates to their account without their permission.

Time stamps

A big difference between humans and robots is the speed at which we complete tasks. When humans encounter a form, it takes us a few moments to read each field, decide what to input, and then type the text. Bots, on the other hand, can populate a form instantly. By using time stamps on your site, you can reject forms that are filled out too quickly.

This might not be secure enough to stand alone, though, as some of the sneakier bots are programmed to take longer to fill out forms to specifically avoid this trap. Plus, for returning visitors with cookies enabled, the form may auto-populate, causing the visitor to be wrongfully identified as a bot.

Checkboxes

One of the best solutions is to include a client-side JavaScript checkbox that says something like, “I am a human.” The idea is that by generating the checkbox client-side, only legitimate users will be able to see and check the box.

This is one part of Google’s solution for a new “no CAPTCHA ReCAPTCHA,” which you can see below.

Recaptcha new

There are some concerns about bots that are clever enough to read the Javascript or CSS and work around the checkbox solution, so additional measures could be added for security. For example, you could also implement a secondary checkbox that says, “I am not a human.” Bots that are programmed to check all boxes on a page will fall for the trap of checking both boxes. The secondary box could even be hidden using JavaScript so that users wouldn’t see the box and be tempted to click it just to see what happens.

Here are some resources to check out if you’re interested in this solution:

What’s a website owner to do?

To determine which alternative is best for your site, you should ask yourself why you need the additional security measures.

For blog owners looking to prevent spam comments, a social sign-in solution might be right — if users are open to it. While it could discourage some users from engaging in the conversation, it would be effective at preventing bots from spamming your blog with backlinks. Run tests with your users to find out if they would actually use a verified sign-in, or if it would cause an uproar of privacy concerns.

For e-commerce sites that need to verify a visitor’s validity at the point of purchase, any additional steps between the user and the purchase can reduce conversions. If you can use an alternative that doesn’t interfere with the user’s workflow, you’ll stand a much better chance of making the sale and keeping the user happy. The very best solution is one your users never notice. Consider using honeypots, time stamps, or checkboxes — or a combination of these.