Ungerboeck Digital - Blog



Gotta CAPTCHA 'em All

Kevin Zink
Feb 01, 2016
captcha options

Bots, that is.  Spammers too.

Those who have open forms, regardless of site size, have likely dealt with intelligent bots spamming said forms. This can be enormously frustrating. Not only does it take time to manage, it also reduces the clarity of analytics and potentially causes missed leads if submissions are inadvertently misclassified.

There are several solutions that attempt to stave off these painful instances. Each method, however different, equates to a simplified Turing Test... of sorts... that tries to be tough on bots without encumbering the user. This last part is very important. Regardless of how well these barriers work, in many cases, they become a pain-point for legitimate users who are simply trying to interact with a site. The more acute the pain-point, the more likely your site is to be abandoned and your conversion to be lost.


Everyone who has been around the internet more than a few times has come face to face with a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). Squiggly lines, twisted text, oncoming headaches are the hallmarks of this most recognized method. This system has been around since 2000 and still remains (in different iterations) one of the best ways to stop bots from form submission. Unfortunately, the bots continue to become more intelligent and are quickly catching up to their human counterparts in their ability to decipher increasingly abstract renderings. Many of these have audio options, but as speech to text evolves, even an audio only variation has little chance of stopping a determined bot.


reCAPTCHA is Google's attempt to capitalize on the need for CAPTCHA by using (assumed) human responses to decipher text. In general, the reCAPTCHA will supply two words. The first word is known and the second is not. These words are often lifted from scanned newspapers, books and other physical media. If the user is able to correctly determine the first word, Google will assume that they may have gotten the second word correct as well. After Google collects a number of matching results for the second word, the second word becomes "known" and can be promoted to the first word position. This method not only protects sites but performs the useful service of human deciphering scanned works.


No CAPTCHA is the evolution of reCAPTCHA and simplifies the user experience by simply asking the user to confirm that they are not a robot. Simple and sleek. If the No CAPTCHA is not confident with the user response a standard CAPTCHA will also be presented to the user. The secondary confirmation usually is displayed in one of two variations:

  1. The first variation is usually reserved for desktop users and consists of a standard CAPTCHA asking the user to decipher a picture of text (often a house-number).
  2. The second variation is used within mobile displays and requests that the user match image selections to a provided clue. This mobile technique is, generally, preferred as it is easier for a mobile user to click on an image rather than type out random characters due a small keyboard and the ever-loved spell-checker.


Sweet Captcha

Sweet Captcha exists as a plugin that that relies on drag-and-drop interaction rather than deciphering text or tapping on images. This test requests that users match two items by dragging one to another. Unfortunately, the ability of a sight-impaired user, or someone using keyboard only navigation, limits the potential audience and potentially introduces usability issues.


Gaming CAPTCHAs request that the user have full interaction and complete a simple game. The complex interactions are currently beyond most automated systems. Unfortunately, they are also beyond the capabilities of some users as well. These systems may also appear "unprofessional" depending on the branding of the site.


NuCaptcha helps determine the level of risk the user presents based on a behavior analysis system. Using this information, the security determines what level of CAPTCHA should be displayed to the user. Rather than using fixed scrambling, the text is presented in video form with moving letters. This makes the system easier to read for humans while still thwarting the majority of bots.

Honeypot Technique

The Honeypot Technique is a system that has become increasingly popular as it doesn't degrade the user experience. This technique involves placing a hidden field within the form. Legitimate users will not see the field and enter a value. Bots, however, see the field within the code and adjust the value before submitting the form. Code can then be used to throw-out any forms that have a value within the field. This is an easy to implement method that does not require any action on the part of the user. Unfortunately, the speed at which bots are adjusted may lead to smarter bots that check for hidden fields or try various combinations of form values until a successful submission is achieved.


If you were "told there would be no math" you have come to the wrong CAPTCHA. Amazingly enough, simple math... especially word problems... are often more than a match for the majority of bots. And what user doesn't like to solve a math problem before submitting a form? All kidding aside, a simple "What is two plus five" form field isn't a huge barrier to the majority of users.

Two-Factor (Two-Step) Authentication

If standard CAPTCHAs simply aren't meeting expectations, two-factor authentication takes the process to the next level. This process usually involves the user supplying the location of a secondary device which receives a code that is useful for a limited time period. The final process of filling out a form requests that the user enter the current code before being allowed to finalize submission.

Third-Party Authentication

Although somewhat intrusive, more and more sites are requiring that users login via a third-party site (i.e. Facebook, Twitter, etc.) in order to interact with forms, member only sections, etc. The thought process is that users have already created profiles and those profiles have already been vetted through CAPTCHA or an equivalent process. The downside is that users may see this as one more way they may be tracked and may prefer to keep their accounts completely separate due to security concerns.

It is unfortunate that utilizing a CAPTCHA, regardless of type, is becoming increasingly necessary. The plethora of options, however, increases the likelihood that there is a technique that will protect your site from unwanted form submissions while not impeding the user.

Let's Talk

Looking to know more? Drop us a note through the form below.

636.300.5606  |  100 Ungerboeck Park, O'Fallon, Missouri, 63368