Recently web infrastructure company Cloudflare announced that it decided to stop using reCAPTCHA from Google in favor of a different CAPTCHA provider. While the rationale for the decision was based on Google deciding to charge for the previously free service, Cloudflare, in a blog post to its customers, also acknowledged that it believes “visual (and audio) CAPTCHAs are an imperfect answer to a number of difficult problems.”
Imperfect? We’ve been saying—along with many others—that using a CAPTCHA approach is not only imperfect, it’s the wrong approach altogether to stopping malicious bots.
Aaron Malenfant, an engineering lead on Google’s CAPTCHA team, was quoted by several media outlets as saying that in five or so years, CAPTCHA challenges won’t be viable at all. We’d argue that they aren’t viable now, let alone years from now.
In my opinion, here’s why:
Machine learning is too advanced
In the early years of CAPTCHA challenges, simple images of text were enough to defeat most bots. But with the growing sophistication of artificial intelligence and machine learning, any test can be used to train software (in this case, bots) to solve the challenge. In fact, this isn’t a recent advance. Machine learning algorithms began getting better at solving CAPTCHAs than humans years ago.
In a recent article I read in The Verge sums it up quite nicely: “Machine learning is now about as good as humans at basic text, image, and voice recognition tasks … In fact, algorithms are probably better at it. We’re at a point where making it harder for software ends up making it too hard for many people.”
I believe the human experience is increasingly worse with CAPTCHAs
Forcing customers to go through image after image identifying stoplights, traffic signs, or storefronts is not the kind of frustrating, belittling experience companies want associated with their brand. It’s not a stretch of the imagination by any means to say that consumers despise CAPTCHAs and feel that they waste their time at best and discourage them from using your service at worst.
That’s because CAPTCHAs have become more difficult and time-consuming to complete in an effort to defeat AI and remain a small step ahead of bots. It’s become impossible to keep the challenge short and easy so that humans aren’t frustrated or defeated, while making it difficult or impossible for bots to solve.
We’ve seen it, it doesn’t stop the worst kinds of automated attack
Back when malicious bots were most often spam bots, CAPTCHAs were designed to prevent them from succeeding and using a business’ website to spread spam messages. And it worked in the beginning. But then came CAPTCHA farms and smarter AI. It didn’t take long for CAPTCHA challenges to become ineffective at stopping automation.
Today CAPTCHA is practically useless for protecting against the most nefarious and damaging automated attacks on businesses. Bots are behind automated attacks that steal information, scrape prices, commit fraud, block legitimate customers from using your site, and more. These attacks inflict substantial damages on businesses.
In this new reality, serving your customers has never been more important. It’s time to stop frustrating them with CAPTCHAs and instead, start frustrating bot operators with never-ending busy work for their bots.
