CAPTCHA vs. reCAPTCHA – publisher’s tools to fight bots

Brief history of CAPTCHA and reCAPTCHA

The program’s name is quite interesting, as it includes the term “Turing test” – a way to evaluate whether a machine can exhibit human-like, intelligent behavior. Alan Mathison Turing (1912-1954), the test’s inventor, was an English mathematician and cryptanalyst well-known for his work deciphering Enigma messages during World War II and for posing questions like “Can machines think?” as early as 1950! His idea turned out to be extremely helpful over 40 years later (in 1997) for the inventors of CAPTCHA. Its first version presented words obscured by distorted letters and subtle background noise. To successfully complete the test, users had to decipher and input the displayed word accurately.

In 2007, another breakthrough occurred – reCAPTCHA was invented by Luis von Ahn of Carnegie Mellon University (Pennsylvania, USA). The new tool was not only stopping bots from entering a site, but also helped digitalize books, magazines, journals, and newspapers. Instead of made-up, distorted words, users were presented with fragments of real, archived text. Two years after the invention, in 2009, Google purchased reCAPTCHA. Nowadays, it’s the most popular antispam solution on the internet, and importantly – in most cases, it’s free of charge.

Types of reCAPTCHA

To choose the solution that best suits your business, it’s worth exploring all the available options:

• reCAPTCHA v1 was the first version of the Google anti-bot CAPTCHA system. Today, you cannot use this one anymore because it has been discontinued since March 2018;
• reCAPTCHA v2 – there are different kinds of tasks that users have to perform during the verification process. Types of the second version of reCAPTCHA include:
  • “I’m not a robot” Checkbox – what’s interesting is that Google analyzes not the user’s ability to click a checkbox (because obviously, bots can do it too) but his behavior before and after performing this task. Among others, Google tracks the mouse movement (the human one will rather be pretty chaotic, our cursor will not move in perfectly straight lines like the bot’s would) or even browsing history. If the result of the test is not conclusive, the user is asked to perform a visual test, like recognizing parts of vehicles in a picture divided into squares,

• • Invisible reCAPTCHA badge – which does not require any direct tasks, the system measures and checks the users’ behavior in the background. The same as in the case of the “I’m not a robot” Checkbox, it might follow the movement of the mouse, but this time even when the user clicks buttons not related to the CAPTCHA. This test to tell humans and robots apart can also be triggered through a JavaScript API call,
  • Solutions for Android – validation is achieved by initiating network calls between the Android application, the SafetyNet server, and your own server. Users will either be granted immediate access to the content or will have to validate whether they are humans by, for instance, performing visual challenges, like choosing specific objects in the pictures;
• reCAPTCHA v3 is an advanced security solution that does not require any direct input from the user to verify his humanity. Instead, the system uses a risk analysis engine to inspect visitor actions to only allow humans to pass through. When bot-suspected actions are detected, the system assigns a score that can be checked in the reCAPTCHA admin console. The user’s behavior is analyzed and assessed with a score ranging from 0.0 to 1.0 – the higher the score, the more likely the user is human. From there, you can learn not only about the scores but also the specific actions that bots were attempting to perform;
• reCAPTCHA Enterprise is the latest reCAPTCHA option available. It brings together the pros of both previous reCAPTCHA versions and offers more flexibility by allowing you to classify specific bot and fraud actions as either positive or false negatives. This means you help Google adjust for incorrect assessments during future tests. While registering your site, you can choose between the two reCAPTCHA types –reCAPTCHA v2 or reCAPTCHA v3. The available anti-bot solutions you can exploit are:
  • “I’m not a robot” Checkbox,
  • Invisible reCAPTCHA badge,
  • Score-based mechanism from reCAPTCHA v3;
• reCAPTCHA Enterprise Fraud Prevention (a subtype of reCAPTCHA Enterprise) – it’s a new solution from Google that stops payment fraud attempts. After suspicious behavior is detected (like many transaction attempts at surprisingly low prices), you get a risk score, and from there, you can block the transaction instantly or send it for further investigation.

How much does reCAPTCHA cost?

In cases of all available reCAPTCHA versions (v2, v3, and Enterprise), website and app owners, can use the tools for free within a limit of 1 million monthly calls. Importantly, when publishers using reCAPTCHA v2 and reCAPTCHA v3 surpass the 1000 calls limit per second or 1 million a month, they have to switch to reCAPTCHA Enterprise or ask Google for an exception via appropriate form. The cost of service for reCAPTCHA Enterprise users above 1 million, but below 10 million calls is 1$ per 1000 calls. And if your content generates numbers above that, you’ll have to contact the Cloud sales team to determine the conditions individually.

reCAPTCHA alternative

Of course, Google’s product is not the only option when it comes to the bot protection systems. There are some alternatives available in the market – two of the most often chosen ones are:

• Cloudflare Turnstile – the product’s creators praise it, among other things, for its attention to data privacy. Its main goal is to stop bots without using CAPTCHA systems. They avoid showing challenges and just analyze the user’s behavior or check a small amount of data. The basic version of this solution is free of charge. On the other hand, the premium version offers, for instance, “Lossless Image Optimization” and more advanced bot protection methods;
• hCAPTCHA – an accessible, compliant with WCAG 2.1 (Web Content Accessibility Guidelines) requirements, CAPTCHA-type solution. It’s fast to implement, with only two lines of code, and it’s free up to one million requests per month. Moreover, it’s possible to use this tool in every country. It’s a popular remedy for identifying fraud for some of the top online payment processors.

Despite the efficiency of other options, Google reCAPTCHA still remains the most popular solution, used by most content creators. People decide to use it, as it’s a trusted product from a well-known technology giant, but also because of constant reCAPTCHA updates, numerous accessibility features, and support offered in many languages.

If you want to get to know more hints and insights from the world of digital content creation and learn about the best monetization strategies for both websites and mobile apps, feel free to follow us on LinkedIn. This way, you’ll be up-to-date with our articles, industry news, and incoming changes worth preparing for. See you there!