There are few things in this world as annoying, and pervasive, as spam. You probably get spam phone calls, spam texts, and spam emails. You’ve won a prize. You’ve broken a copyright law. You’ve placed an order and need to verify your account details. You can make $3,956 a day working from home doing this one cool trick. It sucks up our time and, if we fall for it, can be downright dangerous.
But there’s also spam on many websites. Comment sections filled with links to less-than-reputable pages designed to phish for sensitive info or initiate a malware download.
For site owners, spammy comment sections, fake user registrations, and false contact form submissions can add hours of work each week, make your site seem less legitimate, and put visitors and your entire reputation at risk.
That’s where reCAPTCHA comes in. Owned by Google, reCAPTCHA is a free service that distinguishes real human users from automated bots. But there are pros and cons to implementing reCAPTCHA on your site, so you’ll need to weigh your options carefully in order to find an effective solution.
In this post, we’ll take a closer look at reCAPTCHA and how it works. Then, we’ll explore the main drawbacks of reCAPTCHA, and consider a better alternative. Let’s jump right in!
.
What is reCAPTCHA?
reCAPTCHA is a free Google service that protects websites from spam. CAPTCHA tests were first introduced in 1997 as an extra layer of security against hackers and bots.
These tests were deployed primarily on login pages and contact form pages. They generated distorted text and users had to decipher the words to pass the test. Since then, CAPTCHAs have become more complex to keep up with evolving technologies and bots.
The advanced nature of CAPTCHA can cause problems for the user experience (UX) since it demands more input from site visitors. In fact, reCAPTCHA (introduced in 2007) presents more complicated challenges like puzzles and image identification, which typically require user interaction.
In 2009, reCAPTCHA was acquired by Google. The original version is no longer available since it was found to be too easy for bots (using algorithms trained in pattern recognition) and too difficult for humans.
So now, there are different versions of reCAPTCHA, which we’ll explore later in the post.
How does reCAPTCHA work?
reCAPTCHA uses artificial intelligence (AI) to differentiate between humans and bots. While the traditional CAPTCHA issued tests before allowing visitor access, algorithms trained in pattern recognition could quickly solve these challenges.
Therefore, reCAPTCHA was introduced. As we discussed, the original version is no longer in use, but there are still two versions available.
reCAPTCHA v2 requires users to select images or check the “I’m not a robot” box.
Meanwhile, reCAPTCHA v3 aims to minimize the disruption to the user experience. Instead of requiring user interaction, it calculates scores based on user behavior. The website administrator can then allow or block access, but they can also issue further v2 tests, if needed, for verification.
The latest version of reCAPTCHA (v3) uses a JavaScript API to determine a score between 0 and 1. While a score of 0 is judged to be a bot, a score of 1 is almost always a human user. It uses a concept called “actions” which lets you define steps in your typical user journey.
This way, the reCAPTCHA technology learns how real users interact with your site so that it’s able to detect bot traffic. In fact, some websites deploy reCAPTCHA across all pages so that the technology has more user activity to work with.
Distinction between CAPTCHA and reCAPTCHA
You might still be wondering about the difference between CAPTCHA and reCAPTCHA. First off, CAPTCHA is an umbrella term used to describe any website authentication test to separate humans from bots.
On the other hand, reCAPTCHA is a type of CAPTCHA test owned by Google. Note that there are several types of CAPTCHAs owned by different companies, and reCAPTCHA is just one of many.
As we discussed, the original reCAPTCHA test was much more simplistic, primarily relying on word tests disguised with twisted letters. But now, there are different types of reCAPTCHA including images, checkboxes, and tests that require no user input at all.
The different types of reCAPTCHA
Now, let’s take a look at all the different versions of reCAPTCHA.
reCAPTCHA v1
reCAPTCHA v1 isn’t widely used anymore and was discontinued by Google in 2018. But this version of reCAPTCHA came the closest to emulating the traditional CAPTCHA tests that relied on object recognition.
In this instance, a user would be presented with a pair of words, one of which functioned as a control word and could be understood by a bot. The other word could only be recognized by human users.
This CAPTCHA method was developed in the late 1990s and continued to be used throughout the 2010s. It also started using scanned words and photographs to make the tests more challenging, but it has since been replaced with more sophisticated reCAPTCHA tests.
reCAPTCHA v2
After reCAPTCHA v1 was shut down, it was replaced with reCAPTCHA v2, which currently consists of three versions.
The first one is the reCAPTCHA v2 for Android, which is an API that can protect Android apps from bot traffic. The API integrates directly into Android apps, and in an attempt to preserve the UX, the API allows low-risk users to pass through easily. When needed, the API will present a challenge to the user to verify that they are human.
Then there’s the reCAPTCHA v2 that most users are familiar with. This is the “I’m not a robot” checkbox. In this case, all that users have to do is check the box, rather than solve a complex test or problem.
As such, it’s considered more user‑friendly than previous methods. Though it sounds simple, Google analyzes various factors like mouse movement and browsing history to detect bot activity.
Even more sophisticated is the invisible reCAPTCHA badge which requires no user input at all. Similar to the previous method, Google evaluates activities like mouse movement and typing patterns. This version of reCAPTCHA is triggered via a JavaScript API call or when a user clicks on a button.
It’s still not a perfect solution since sophisticated bots that use AI technology can bypass the reCAPTCHA. And, it isn’t immune to CAPTCHA farms — which are businesses that employ human workers to solve reCAPTCHAs to aid cybercriminals and hackers.
reCAPTCHA v3
In further attempts to improve the UX, Google introduced reCAPTCHA v3, which works similarly to the invisible reCAPTCHA badge. This version of reCAPTCHA works in the background, so it’s completely invisible to users and presents no tests.
The reCAPTCHA v3 method tracks all requests made by a user on a website, and every request is given a score between 0 and 1. As we discussed earlier, a score close to 0 is likely to be a bot whereas a score closer to 1 is judged as human.
The interactions monitored by the reCAPTCHA vary between websites. For instance, the administrator can provide examples of normal user interactions so that the reCAPTCHA can pick up on any deviation from the norm.
reCAPTCHA v3 is the best version of the technology in terms of efficacy and UX. That said, it’s more difficult to implement since the scores must be defined by the administrator, which can be time‑consuming to set up.
With this in mind, you might automatically block users who return a score below 0.2. Then, scores between 0.2 and 0.6 may generate a CAPTCHA challenge to verify that the user is human.
Meanwhile, any score above 0.6 may instantly be granted access. The issue is that a strict scoring system holds the potential to block out legitimate users while a lenient system may allow bots to bypass the reCAPTCHA.
Challenges and downsides of reCAPTCHA
Now that you know the different types of reCAPTCHA, let’s take a look at the main limitations.
1. Impact on users with disabilities
It’s imperative to design web content in a way that’s accessible to people with disabilities. This way, your enterprise site can comply with the Americans with Disabilities Act (ADA) and the Web Content Accessibility Guidelines (WCAG).
The problem is that many reCAPTCHA tests are visual and require users to identify images or text. This has been shown to discriminate against users with visual impairments. And since they’re designed to be unreadable by machines, screen readers are unable to interpret them.
Additionally, audio reCAPTCHA tests alienate users with hearing impairments. Meanwhile, the mathematical equation tests are believed to be more accessible to users with vision impairments, but these can exclude those with cognitive disorders like dyscalculia.
2. Annoyance and frustration
Many users may find reCAPTCHA annoying. When you expect instant access to a page, and instead you’re required to check a box or complete a task, it’s natural to become frustrated.
This can lead to early exits. High bounce rates can send signals to search engines that users don’t find your website valuable. Therefore, it can result in both traffic and revenue loss.
3. Data collection and privacy concerns
In order to differentiate between bots and humans, reCAPTCHA v3 and the invisible reCAPTCHA badge analyze data like mouse navigation and click patterns. Since this is classified as personal data, this method of reCAPTCHA requires privacy compliance.
There are plenty of laws and legislations that exist to protect user privacy on the internet. Most notable, perhaps, is the General Data Protection Regulation (GDPR) in the EU, but there’s also the Colorado Privacy Act, the Utah Consumer Privacy Act, the California Consumer Privacy Act, and many more.
Therefore, it’s important to gather consent from users if you plan to implement reCAPTCHA. Google recommends a privacy policy that informs users of the data collected, the data shared, and a statement that tells users how the data will be used.
That said, this is considered the bare minimum in terms of privacy, so it’s useful to have a proper look into what should be included. This is very important since non-compliance can damage your reputation, erode customer trust, and lead to heavy financial penalties.
4. reCAPTCHA’s decreasing effectiveness
Another potential problem with reCAPTCHA is its effectiveness given the emergence of artificial intelligence. In fact, researchers from the University of Columbia created reCAPTCHA attacks that managed to solve 70 percent of all challenges.
This shows that reCAPTCHA is no longer as effective as it once was, whether that’s down to AI, CAPTCHA farms, or internal logic. What’s more, reCAPTCHA v3 requires the analysis of user behavior.
reCAPTCHA needs a large volume of data to determine normal human interactions and tell them apart from bots. But this technology relies on a client‑side fingerprinting approach, which advanced bots can bypass easily.
5. Potential for false positives
The final drawback to reCAPTCHA is that there is still the potential for false positives, which can block legitimate users from your site. For instance, enterprises that prioritize security may adopt a strict scoring system for reCAPTCHA v3. This makes it harder for users to score 1.
To give you an example, many administrators grant low scores to users who submit forms very quickly. That said, some human users are naturally quick typers, but going by this system, they may be flagged and denied access to your website.
Additionally, researchers from the University of Toronto found that reCAPTCHA gives lower scores to users who don’t have a Google account. Therefore, privacy-conscious visitors who use private browsers or VPNs are more likely to be mistaken for bots.
Akismet: The better alternative to reCAPTCHA
Considering the challenges and drawbacks of reCAPTCHA, you may be cautious about deploying it on your website. Instead, you might prefer an alternative anti‑spam solution that is more inclusive and doesn’t disrupt the UX.
Akismet was developed by Automattic (the same team behind WordPress.com) and it’s one of the leading anti‑spam plugins. It protects you against form, comment, and text spam.
Since 2005, Akismet has removed over 500 billion pieces of spam across 100 million sites. The plugin is powered by machine learning, which explains how Akismet detects spam with a 99.99 percent accuracy rating.
Unlike reCAPTCHA, Akismet doesn’t require too much from your visitors. Instead, it operates behind the scenes, so it doesn’t add friction to your UX. This means that users may be more likely to stay on your website, helping you get more conversions and sales.
How Akismet works
Akismet analyzes every piece of user‑submitted content to prevent a range of online attacks. This analysis takes place in real time, so you can block suspicious activity before it even reaches your site.
It’s best to think of Akismet as a filter, where legitimate submissions are allowed to pass through, but spam submissions are denied. This saves you from manually reviewing every submission.
As mentioned earlier, Akismet is powered by machine learning algorithms. This enables the plugin to compare the content of submissions against a database of known spam. Plus, it integrates with popular form plugins, so you’re not limited to blog comment spam.
You’ll also get access to monthly and annual spam charts. This way, you can check your spam accuracy rating, false positives, and more.
The Akismet plugin is simple to install on WordPress, but you will need an API key to connect to the Akismet database.
Benefits of Akismet over reCAPTCHA
Now that you know more about Akismet, let’s look at the benefits of using this plugin over reCAPTCHA.
1. Improved accessibility
As we discussed earlier, one of the limitations of reCAPTCHA is that some versions require users to decipher visual or auditory information. Other versions contain mathematical equations or ask users to complete checkboxes.
This can exclude those with cognitive, hearing, or visual impairments. Therefore, if you want to keep an accessible website, you’re better off using a CAPTCHA alternative like Akismet.
Akismet doesn’t require any user interaction. It works silently behind the scenes, so users can submit content without running into any obstacles.
2. Enhanced user experience
All kinds of reCAPTCHA (except v3) add friction to the user experience, as they require individuals to check a box or complete a test. This delays access to a page or resource, which can lead to frustration on the user’s part.
Akismet doesn’t interfere with the UX. It operates in the background, so most users aren’t even aware of it. Additionally, the spam data is stored in the cloud, so the plugin doesn’t impact site speed.
3. Privacy protection
While reCAPTCHA can reduce spam submissions, it does so by gathering personal data, which means you have to obtain explicit consent from users. Plus, privacy-conscious users may be perturbed by data collection.
Akismet also collects personal data, but only that which is needed to carry out spam protection. According to the GDPR, this is classified as a “legitimate interest” use of that data.
In the plugin settings, you can easily enable a privacy notice that informs users about this. The company never sells personal data gathered through the plugin. You can check out the full privacy policy here.
4. Better spam detection
reCAPTCHA is primarily an anti‑spam measure, but the effectiveness of reCAPTCHA has been challenged by advances in AI technology and the growth of CAPTCHA farms.
Akismet has a long reputation for detecting spam with very high accuracy. Currently, the plugin boasts an overall accuracy score of 99.99 percent, but you can view the exact spam accuracy score within your Akismet dashboard.
5. Reduced false positives
Earlier, we mentioned the fact that some versions of reCAPTCHA frequently result in false positives which block legitimate users from websites. This is especially true in the case of reCAPTCHA v3 (where administrators have to define their own rules) and for users who opt for private browsers and VPNs. Not only is this frustrating for users, but it can also result in revenue loss for organizations.
With Akismet, submissions are analyzed in real time and with incredible accuracy. Additionally, there are systems in place that make it easy for websites to report false positives.
When it comes to forms, you can simply remove submissions from the spam list. For comments, all you have to do is check the relevant boxes and use the Bulk actions dropdown menu to select Not spam.
Frequently asked questions
This guide has answered questions like “what is reCAPTCHA” and “how does reCAPTCHA work”, but you may still be looking for clarification on this technology. We’ll answer some other common questions in the next section.
What is the primary purpose of reCAPTCHA?
The primary purpose of reCAPTCHA is to differentiate human users from bots in order to block spam and other forms of online abuse. It is a type of technology that deploys adaptive challenges like image identification and checkboxes that detect suspicious behavior.
How does reCAPTCHA differentiate between a human and a bot?
Depending on the version of reCAPTCHA, different factors are considered to distinguish between bots and humans. For example, some reCAPTCHA tests track cursor movement, typing patterns, and browser history.
reCAPTCHA v3 evaluates these factors to generate scores. Scores closer to 0 are judged to be bots while those closer to 1 are considered human.
What are the key differences between reCAPTCHA v2 and v3?
There are some key differences between reCAPTCHA v2 and v3. reCAPTCHA v2 includes three different methods including the Android API, the “I’m not a robot” checkbox, and the invisible reCAPTCHA badge. All of these, except the badge, require user interaction.
reCAPTCHA v3 doesn’t require user input. Instead, it monitors certain factors like mouse movement and typing patterns to return a score between 0 and 1, which helps systems detect bot traffic.
Is reCAPTCHA completely effective against bots and automated attacks?
reCAPTCHA is an anti‑spam service that attempts to block bots and prevent automated attacks like distributed denial of service (DDoS) attacks. The problem is that several researchers have questioned the effectiveness of reCAPTCHA. For instance, researchers from the University of Columbia launched low‑risk bot attacks that solved over 70 percent of all challenges.
How does reCAPTCHA impact the overall user experience on websites?
Most versions of reCAPTCHA require users to solve mathematical problems, decipher images and text, or simply check a box. While this may not sound too problematic, it adds friction to the user experience.
It delays users from accessing the desired page or resource, which can be frustrating. In turn, this can lead to early exits — which affect bounce rates, traffic volume, revenue, and more.
Can reCAPTCHA be bypassed or tricked by sophisticated bots?
There are ways for cybercriminals and bots to bypass reCAPTCHA tests. To do this, all they have to do is raise the trust score by mimicking normal human behavior on a web browser.
They can achieve this effect by using a resistant TLS fingerprint. Plus, hackers can execute JavaScript using browser automation tools, and rotate JavaScript fingerprint details.
What are the implications of reCAPTCHA for user privacy?
Since reCAPTCHA gathers personal data about the user’s browser and device, certain states and countries require companies to get user consent. In particular, the GDPR ensures that visitors know how websites use, process, and store their information.
Therefore, you’ll need to obtain explicit consent. It’s also important to display a privacy policy on your site. Otherwise, you may encounter hefty financial penalties.
Are there any alternatives to reCAPTCHA that offer similar or better functionalities?
Although reCAPTCHA is capable of blocking some spam, it can interfere with the UX and discriminate against those with disabilities. Therefore, you might prefer a more user‑friendly alternative, like Akismet.
Akismet works in the background of your site, so it requires no user interaction. It also filters spam with an impressive accuracy rating of 99.99 percent, which means it rarely produces false positives.
How accurate is Akismet at stopping spam?
Akismet filters comment, form, and text spam with a 99.99 percent accuracy rate. Plus, it analyzes submissions in real time to maximize threat protection. And there are systems in place to report false positives, which makes Akismet much more effective than reCAPTCHA.
How many sites use Akismet?
Akismet is installed on over 100 million websites, and the plugin has blocked over 500 billion spam submissions. Better yet, it’s trusted by plenty of enterprise brands like Microsoft, ConvertKit, Bluehost, and WordPress.com.
Are there any case studies of companies that use Akismet?
If you want to know how Akismet has helped real brands, you can check out some case studies.
For instance, ConvertKit implemented Akismet to filter out spam and automate spam prevention. Smitten Kitchen automated spam detection in the comments section of recipes, which has helped prevent the presence of affiliate links and irrelevant promotions.
Where can I learn more about Akismet?
If you want to learn more about the service, you can find a lot of free resources. Akismet also has a dedicated support page to help you set up and use the plugin. And the Akismet blog is frequently updated with useful articles.
Akismet: The best spam solution for your website
Spam is a concern for any site administrator, since it can make your site appear less trustworthy and lead to cyberattacks. While reCAPTCHA is one solution for preventing spam, it may not be the best option in terms of user experience.
reCAPTCHA v3 runs in the background of your site, but it can still be frustrating for visitors. Additionally, it can exclude those with disabilities and incorrectly block legitimate visitors. Therefore, you might prefer a better alternative, like Akismet.
With a 99.99 percent accuracy rating, Akismet is excellent at blocking comment, form, and text spam. It also analyzes submissions in real time, and it doesn’t interfere with the UX. Get started with the Akismet today.
Akismet