Support FAQ

How CAPTCHAs Work

How do CAPTCHAs work?

A CAPTCHA is a challenge-response test used to decide whether a request is likely to come from a human or automated software. The name comes from "Completely Automated Public Turing test to tell Computers and Humans Apart." Traditional CAPTCHAs ask a person to read distorted text, choose images, solve a puzzle, tick a box, or complete a small interaction. Newer systems may score browser, device, interaction, and traffic signals before deciding whether to show a visible challenge.

CAPTCHAs are usually placed in front of actions that attackers want to automate: signup, login, password reset, comments, voting, checkout, contact forms, free trials, coupon use, or account recovery. The goal is not to prove with certainty that a user is human. The goal is to add evidence and cost so abusive automation becomes harder or less profitable.

The basic CAPTCHA flow

Most integrations follow a similar pattern. The page asks a CAPTCHA provider to create a challenge or risk assessment. The user or browser completes the required step. The provider returns a token. The application sends that token to the provider from the server side and receives a verification result. Only then should the application allow the protected action.

The server-side verification step is essential. If an application only checks that a browser displayed a widget, attackers can bypass the control by calling the backend directly. The application should also verify that the token is fresh, intended for the expected site or action, and not reused beyond the provider's rules. Protected API paths, mobile endpoints, and alternate form handlers need the same enforcement as the visible web page; otherwise attackers can route around the challenge.

Types of CAPTCHA challenges

Text CAPTCHAs ask users to read distorted letters or numbers. Image CAPTCHAs ask users to identify objects, signs, vehicles, or patterns. Audio CAPTCHAs provide a spoken alternative. Checkbox challenges may combine a visible click with background analysis. Puzzle or interaction challenges ask users to drag, rotate, or select an element. Invisible or risk-based systems may avoid a visible challenge unless signals indicate suspicious automation.

Each type has tradeoffs. Text and image challenges can be hard for people with visual impairments, users on small screens, or users facing language and cultural differences. Audio alternatives can be difficult in noisy environments and may introduce privacy or accessibility issues. Invisible systems reduce friction but require careful governance because they evaluate client and behavioral signals that users may not see.

What CAPTCHAs can and cannot stop

CAPTCHAs can block basic scripts that do not run browsers, do not handle tokens, or cannot complete a challenge. They can reduce low-effort form spam and force attackers to spend more time or money. They can also provide a useful step-up control when traffic looks risky but the team does not want to block it outright.

They are not a complete bot defense. Attackers can use CAPTCHA-solving services, machine learning, real browser automation, stolen session cookies, malware on human devices, or low-paid human workers. Some attacks do not need to solve the challenge if another endpoint lacks enforcement. Others solve challenges successfully but still create abuse, such as fake account creation, credential testing, or spam submissions that pass the gate.

Security failure modes

Common implementation failures include trusting client-side completion without server verification, accepting expired tokens, allowing token replay, protecting the web form but not the API endpoint, failing open when the CAPTCHA service is unavailable, and applying the same challenge rule to every user regardless of risk. Another failure is measuring only challenge volume. A high solve rate may look positive, but if solved challenges lead to fraudulent accounts or spam, the control is not doing enough.

Operational failures matter too. A CAPTCHA that is too aggressive can train users to abandon the workflow. A challenge that works on desktop may fail on mobile. A third-party script can affect page performance or privacy reviews. A provider outage can block critical actions if the fallback behavior is not planned. Teams should treat CAPTCHAs as production dependencies, not decorative widgets.

Measuring user friction

CAPTCHA impact should be measured at the protected action, not only at the challenge. Track challenge rate, solve rate, error rate, time to complete, abandonment, retries, accessibility complaints, browser or device skew, and final conversion. Segment by route, region, device class, authentication state, and risk level. A challenge on a newsletter form has a different cost from a challenge on account recovery or checkout.

Security metrics should be paired with user metrics. Did spam submissions fall? Did credential stuffing attempts decline? Did fake signups become less common? Did successful account recovery remain stable? Did support tickets rise after enforcement? Without these outcome metrics, a team may celebrate blocked requests while missing lost customers or ongoing abuse behind solved challenges.

Better placement and alternatives

CAPTCHAs work best as one layer in a broader control set. Server-side validation, CSRF protection, rate limits, account risk scoring, password attack defenses, email or phone verification, device and session signals, moderation queues, and API authentication can all reduce dependence on visible puzzles. For some workflows, delaying publication, limiting links for new accounts, or requiring stronger authentication may be more effective and less frustrating than repeated challenges.

Placement should be selective. Low-risk browsing usually should not require a visible challenge. High-risk actions may justify a step-up challenge when traffic is suspicious, especially after repeated failures, unusual speed, proxy concentration, or known abuse patterns. Teams should define what happens when the CAPTCHA service is unavailable: fail closed for high-risk actions, fail open for low-risk actions, or provide an alternate verification path.

Governance considerations

CAPTCHA policy should have clear ownership because it affects security, accessibility, privacy, conversion, and customer support. Teams should document why a challenge exists, what abuse it is intended to reduce, which routes it protects, which users are exempt, and which metrics trigger review. Exceptions for partners, testing tools, or internal users should be narrow and time-bound.

The central governance question is whether the challenge is still worth the friction. If attackers are solving it cheaply and real users are abandoning the workflow, the policy needs to change. If a challenge reduces high-risk automation with low user impact, it may be a useful step-up control. CAPTCHAs are most defensible when they are targeted, measured, accessible, and combined with controls that address the abuse after the challenge is passed.

Related learning

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Misuse

AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2025   ABN 76 619 930 826    All rights reserved.