With advances in computer vision, machine learning models can now reliably solve Google’s visual reCAPTCHAv2 100% of the time. This marks the end of an era — since the early 2000s, CAPTCHAs (short for “Completely Automated Public Turing test to tell Humans and Computers Apart”) have been the most popular tool for distinguishing human website visitors from bots. 

For businesses to protect their websites from malicious bots, this means it’s time to put reCAPTCHAs away permanently. It’s also good news for customers, who often find reCAPTCHAs annoying to solve. Millions of websites are still using them, however, so it’s important to know why reCAPTCHAs don’t work anymore. 

Image classifier bots have caught up to humans

Independent researchers regularly test online security tools like CAPTCHAs to see how well they hold up against potential attackers. Until recently, image-recognition AI models had about a 70% success rate against visual reCAPTCHAs, the kind that ask a user to look at a 3 x 3 grid of images and identify common objects such as street lights or buses. In September 2024, researchers from ETH Zurich announced they had built an efficient AI model that was able to defeat visual reCAPTCHAs 100% of the time. 

The researchers trained a real-time object-recognition machine learning model called YOLO (“You Only Look Once”) on 14,000 traffic images and then used it to solve individual reCAPTCHA challenges. The open-source model was able to correctly identify different types of images 69% to 100% of the time, and for challenges it couldn’t solve, it asked to be shown another one. Ultimately, the model was able to defeat every reCAPTCHA in an average of about 19 tries.

Notably, there was no statistically significant difference between the number of attempts it took the model or a human to beat a reCAPTCHA challenge. On top of this, the YOLO model can run locally with limited processing power. This means it can be deployed at scale by fraudsters for conducting bot attacks. 

Why not make harder reCAPTCHAs?

Since 2014, neural networks have been used to reliably bypass text-based CAPTCHAs (and since 2011 for audio CAPTCHAs). Now that models can also consistently defeat visual challenges, developers need new ways to detect bots. But there are good reasons not to continue to try to evolve the CAPTCHA paradigm: 

• They’re too hard for humans: ReCAPTCHAs are already notoriously hard for humans to solve. Making them harder threatens to send even more legitimate site visitors running. They also pose accessibility problems for people with visual or hearing impairments, depending on the type of challenge. 
• They take up too much time: It takes a human user roughly 10 seconds to solve an image-based reCAPTCHA, which diminishes user experience. Humans have spent 819 million hours solving reCAPTCHAs since their invention. (That’s nearly 1,200 human lifespans!)
• They hurt sales: Implementing more difficult challenges is likely to have an even worse impact on conversions than current reCAPTCHAs. Studies estimate that CAPTCHAs reduce conversions anywhere from 3% to 40%. 
• This is an unwinnable arms race: No single puzzle is likely to be successful for long, because of the speed at which bots can learn to defeat them. 

It adds up to a hefty list of drawbacks and no advantages. Businesses need to explore alternatives to reCAPTCHAs for protecting their websites. 

Effective bot detection strategies

An effective way to detect bots is including device intelligence as part of a multi-layered fraud detection approach that incorporates technical data and behavioral characteristics to form a complete picture of user behavior and intent, without impacting customer experience. Some of the most effective techniques that companies can use together include: 

• Honeypots: Trap bots with hidden fields on form submissions that are not visible to human users browsing in a graphical interface but are visible to bots. The field is left blank if a human fills out the form, but bots fill out the field when they scan the site’s HTML code. This flags their submissions for blocking. 
• Behavioral analysis: Indicators like scroll time, mouse movements, and navigation patterns can sometimes distinguish human users from bots. Bots tend to move at lightning speeds and without hesitation between actions. 
• Machine learning: Train models on large datasets of known human and bot interactions to spot patterns. These discovered patterns can then help identify behaviors of bots in real time.
• Device intelligence: A comprehensive device intelligence platform analyzes hundreds of browser and device characteristics, which can be used to flag suspicious activity and devices that could indicate bots impersonating genuine users. 
• IP blocklists: Check visitor IP addresses against regularly updated databases of known bot IPs, data center ranges, and malicious proxies.

All of these bot detection strategies work invisibly in the background to gather data and spot patterns without annoying legitimate human users. Together, they provide a defense-in-depth approach that can adapt along with the constantly evolving techniques fraudsters come up with to evade detection. 

Fingerprint’s Bot Detection Smart Signal does the job

Our Bot Detection Smart Signal detected over 416 million bad bots in 2024. It works by collecting large amounts of browser data that bots leak to reliably distinguish genuine users from headless browsers and automation tools. The signal result indicates whether the visitor is a good bot (like a search or AI crawler), a bad bot (potential fraudster), or not a bot (human). Companies can use this data to quickly take appropriate action, such as blocking a visitor’s IP, withholding content, or asking for human verification.

ReCAPTCHAs no longer provide the bot protection they promise. Device intelligence is a better alternative to stop bad bots from trying to hack your customers’ accounts, decreasing your site’s speed, or scraping your site’s content.  

Set up bot detection for your site in this step-by-step tutorial or contact our team to learn how you can take action to protect your digital assets from bots.