What are CAPTCHAs, and how do they work?

Test. That’s what a CAPTCHA is, that’s what it does. The acronym stands for: Completely Automated Public Turing test to tell Computers and Humans Apart. It’s a mouthful, and CAPTCHAs’ effectiveness is equally as clunky — more on that in a minute.

CAPTCHAs create challenge-response scenarios that attempt to weed out fake users (computers) while allowing real users (people) to complete a task, like entering a secure site or completing a purchase. You’ve likely encountered a variety of CAPTCHAs:

  • Text-based
  • Image-based
  • Audio-based

Other tests, like reCAPTCHAs, use risk-analysis engines that try to keep automated software (bots) from abusing and damaging websites. These and other CAPTCHAs commonly reside on login and checkout pages in hopes of preventing automated checkouts, credential stuffing, and fake account creation

But here’s the hard truth: CAPTCHAs are not very effective. Motivated adversaries and modern bots bypass defenses by making API calls to inexpensive CAPTCHA-solving services — aka All-In-One (AIO) services — which solve text, image, and audio tests with:

  • Human solvers (CAPTCHA farms)
  • OCR (optical character recognition technology)
  • Google Voice translations
  • Generative AI
  • AI visual image recognition

And here’s what’s even worse: CAPTCHAs frustrate real users and discourage conversions — problems that loom larger as CAPTCHA providers keep making challenges harder and harder. The bots remain undeterred. People are tired of wasting time and energy puzzling over tests.

What’s the impact of CAPTCHA’s on your business?

From revenue to customer experience, CAPTCHAs have many harmful effects on your business, including:

  • Adds friction to the user experience
  • Lower conversion rates
  • Poor application security
  • Customer or sensitive data loss
  • Decreased profit margins


CAPTCHAs kill conversions — they’ve caused 19% of U.S. adults to abandon a transaction.
– Forrester Research, 2023

Why is Kasada an effective CAPTCHA alternative?

Simple: We keep your customers happy because we don’t make them prove that they’re human.

Kasada’s platform doesn’t ask people if they’re real users; instead, our invisible defenses frustrate attackers with technology that’s time consuming, expensive to attack, and resilient to retooling. And since we don’t use CAPTCHAs, we don’t give bots a playground to test their tricks and expand their mischief.

We proactively detect and defeat threats by collecting hidden traces of automation that adversaries leave behind, and reinforce these actions with challenges that are invisible to real users and never degrade the experience. Multiple layers of detection, both server-side and client-side, and an unmatched understanding of how adversaries evade detection. Our clients have a clear understanding of the threats targeting them, and they see false-positive rates under 0.01%.

Want to learn more?

Beat the bots without bothering your customers — see how.