Do you use captcha alternatives??
Posted by melonPOGGER@reddit | sysadmin | View on Reddit | 19 comments
Getting more and more complaints from users hitting challenges on flows that should be completely frictionless, and every time we dig into it the false positive rate on our current CAPTCHA setup is hard to defend to the business, especially on checkout and login where every interrupted session has a real cost.
Sophisticated bots today solve visual challenges anyway, so we're managing to simultaneously frustrate legitimate users and let the actual threats through, which is the worst possible outcome from a single security control.
Looking for something that moves the verification layer out of the user's face entirely. What teams here have actually deployed that held up under real bot traffic ?
yonifre@reddit
You're spot on about the frustration with CAPTCHAs, u/melonPOGGER. We learned the hard way that every extra click or puzzle impacts conversion, especially on critical flows like checkout. The goal really should be to completely remove that verification layer from the user's interaction. What worked for us in the WordPress ecosystem was moving to an advanced anti-spam plugin that uses multiple layers of protection – think behavioral analysis, honeypots, time-based checks, and even AI-powered detection – all operating silently. It means real users never see a CAPTCHA, but bots are blocked before their submission even registers.
If you're on WordPress and looking for something that just works in the background, take a look at Maspik – it's been a game-changer for our forms. You can find it on the official plugin directory: https://wordpress.org/plugins/contact-forms-anti-spam/
WhoisAizenn@reddit
Ran the numbers on our checkout abandonment once segmented by whether a CAPTCHA was served and the drop-off rate was something nobody on the product side had any idea about, it became a revenue conversation very quickly after that.
impastable_spaghetti@reddit
reCAPTCHA has become a Google data collection tool more than a security one at this point and a lot of teams don't realize what they're handing over when they deploy it, especially in regions with stricter privacy requirements.
Maleficent-Bat-9168@reddit
Had this exact conversation with legal when we were deploying in Germany, the data residency questions around recaptcha got uncomfortable fast and it ended up being the reason we started looking for alternatives in the first place.
premiumkajukatli@reddit
GDPR compliance is the thing that forced our hand on this, you can't really justify routing European user interaction data through Google infrastructure.
H4RDY1@reddit
CAPTCHAs are also a very non inclusive mechanism by design
Ornery-Media-9396@reddit
There is also an audio CAPTCHA but it is somehow worse than the visual one, it's completely unusable in practice and gives you a false sense that you've covered the accessibility requirement when you haven't at all.
aggresivepanda2411@reddit
Nobody has ever successfully completed an audio CAPTCHA
ayushraj_real@reddit
Honestly at this point any friction on checkout is too much, whatever gets it out of the user's face is worth looking into.
No-Departure-8414@reddit
Ran the numbers on our checkout abandonment once segmented by whether a CAPTCHA was served and the drop-off rate was something nobody on the product side had any idea about, it became a revenue conversation very quickly after that.
mybiggestnightmare@reddit
DataDome has a good feature for this, runs verification in the background on device signals before anything is served, CAPTCHA only shows up when it genuinely can't make a call.
InfnityVoid@reddit
Looked at it too, what stood out is that it collects signals before the first request lands, so you're not reacting after the fact.
Vegetable_Patient911@reddit
Looked at it too, what stood out is that it collects signals before the first request lands, so you're not reacting after the fact.
siterightaway@reddit
Man, you're absolutely right to be worried. The whole landscape has shifted in a crazy way. We're dealing with a massive bot invasion right now—Cloudflare is reporting 2 million attacks per second. And it’s even deeper than that: Microsoft pointed out a 170% spike in these attacks over just 6 months, and their efficiency jumped 450% thanks to AI.
The truth is: bots solve CAPTCHAs easily nowadays. If their AI is faster at identifying traffic lights or fire hydrants than a human, those old-school solutions that only annoy real users don't really help anymore. They just end up hurting your conversion rates.
We need to step up our game
Linkpharm2@reddit
*a shiver goes down your spine... then that same shiver goes back up your spine*
badaccount99@reddit
ReCaptcha and others that make humans click a traffic light or type in a word that a color-blind person can't see have a huge impact on traffic. Most humans just abandon it unless they really want to access that webpage.
Cloudflare and some others have a better Captcha. The Cloudflare managed Captcha will put up that checkbox with "I'm a human" But a ton of the time it doesn't even do that because it tracks IP reputation and traffic history across all of it's customers so if someone solved a captcha on another site protected by them recently they won't get one on yours.
We're mostly fighting bots stealing content from distributed IPs. Think 100000 requests per day from 50000 IPs. Traditional bot mitigation doesn't do a great job of detecting the bad bots using fake useragents from unknown IPs on their first request, but that doesn't help much when they only request like 2 pages per day per IP. So we've had to set up those checkbox captchas for every country we don't have customers in or make money serving ads to.
Also if you're doing your own captcha or applying it per page you need to make sure to set cookies and not re-issue the challenge if they've solved it recently. Users should only get it once per session max or it's going to cause a large percentage to close the tab and give up.
derango@reddit
This is a developer question. And reads like market research....
NeedleworkerOne5620@reddit
DataDome has a good feature for this, runs verification in the background on device signals before anything is served, CAPTCHA only shows up when it genuinely can't make a call.
ElectroSpore@reddit
Probably would be better to know which CAPTCHA you are currently using.
Cloudfront / AWS both have bot specific work challenges to detect bot like behaviour. Google has its Captcha.
There are self hostest solutions like https://github.com/TecharoHQ/anubis I have seen popping up to protect open source project pages.