6 CAPTCHA Alternatives to Improve Conversion

CAPTCHA is more than a catchy name, it’s an acronym — Completely Automated Public Turing test to tell Computers and Humans Apart. But in practical terms, CAPTCHAs are often Consistently Annoying, and Prevent The Conversion from Happening A-Lot.

One study by Stanford University (link opens as PDF) found 3 human users agreed on the “translation” of the CAPTCHA only 71% of the time. Overall success rates were ~85% on average.

To add to the pain, they are not foolproof. Spammers can crack CAPTCHAs with Optical Character Recognition (OCR) software, and there are humans overseas that will fill in CAPTCHA forms for a dollar or two per thousand CAPTCHAs. (No joke).

While CAPTCHAs aren’t ubiquitous on retail ecommerce sites, they abound on subscription content sites, forums, social networks and blogs. They ensure only humans can create accounts or perform certain actions within accounts (such as post a link through Facebook), leave a comment or download content.

If you have or are considering a CAPTCHA to keep spam out, but want to minimize user friction, there are at least 5 workarounds for those crazy spaghetti-strung gobbledeegook spam traps (and often, human traps).

1. The Honeypot Trap

Bots malicious find open fields delicious, so set up a “honeypot” field with hidden CSS that is invisible to users. You can set your validation to fail when there’s anything entered into the honeypot field.

This method completely removes the friction of the CAPTCHA method — unless the user has CSS disabled, or uses a browser that auto-fills common fields. The latter may be a high percentage, so consider using a field that is rarely asked for by other sites, such as time zone, but something bots might recognize.

2. Skill Testing Question

A simple math question is often easier to complete than de-coding a set of words that look like they’ve been scribbled by a 3 year old with chubby chalk, which reduces friction without eliminating it entirely:

Image credit: 13things.net

OK, the above might prove you’re superhuman, or fresh out of college. It’s fun to inject a little humor into the painful process of proving your humanity. How about this:


3. Simple Task

Ubokia gamifies the prove-your-human process, using a creative drag-this-icon-here method.

A Flickr user proposes a tic-tac-toe game, where the human plays the winning move for X.

A company that offers these kind of games is AreYouAHuman.com.

4. 3rd Party Authentication

If your CAPTCHA is used for a membership / registration, offering Facebook Connect as an authentication option, for example, eliminates the need for the CAPTCHA, and pre-fills form fields with information from the user’s profile to boot. This option is becoming more and more common, especially with membership sites.

Because not everyone uses a social network or wants to sign up with one, this approach doesn’t replace your CAPTCHA, but reduces friction significantly for a good chunk of your users.

5. Solve Media

Solve Media is a company that developed a CAPTCHA/display ad hybrid that requires the user to answer a simple question about another company’s ad on your site. Advertisers pay for the appearance, and at least in theory, should receive higher recall as the user is forced to pay attention to the ad.

Several major publishers have signed on for trials of the Solve solution, including Hearst Magazines and TV Guide. Publishers share 50% of ad revenue with Solve, making it a CAPTCHA workaround you can monetize.

6. Do Nothing

Hey, “do nothing” is always an alternative. I’ve seen many ecommerce sites drop the CAPTCHA or only show them selectively (for example, when an IP address is suspicious). For example, Netflix once used CAPTCHA and doesn’t appear to any longer.

If you truly believe your site needs a CAPTCHA, it’s worth A/B testing to see if it’s killing your conversion rates. Measure both conversion lift and impact on number of “spam conversions” with and without the CAPTCHA. You may also consider testing any of the above workarounds.

Related Articles

22 Responses to “6 CAPTCHA Alternatives to Improve Conversion”

  1. Anton says:

    the best thing ever and always works is just use 3 buttons and fake input element names/labels as robots tend to just submit:

    “don’t post this” | “post this” | “cancel”

    Later on server side validation needs to check what button was clicked to submit the post.

    if the spam engine does not target your site specially and craft a custom solution to pass this then it always works.

  2. Mary says:

    Great insight Linda! Thank you for providing some great alternatives to CAPTCHA for merchants. It would be interesting to see the effectiveness of each of the above alternatives, as some might be more applicable to users depending on the merchant site. Have you seen any metrics like this?

  3. Courtney says:

    Although “Do Nothing” is an alternative, I think it is a pretty risky move… I do like all the other alternatives, though. The tic tac toe game may be my favorite of them all!

  4. Drag and drop tasks like the “drag the [blank] to the icon” test and the tic-tac-toe game are fun, but sadly won’t stand up to much hackery.

    I’ve been working on developing a technology that’s easier for humans but also highly resistant to machine solutions, and I’ve launched a beta for people to try. It’s called “VouchSafe”, (http://www.vouchsafe.com).

    VouchSafe uses an AI to generate challenges based on the associations that humans intuit between objects. You simply draw a line to match two objects that belong together, or to circle an object that doesn’t belong in a group, (like the old Seasame Street game).

    The line drawing thing works really well on tablets and smart phones. The AI is still being tweaked, but it’s evolving at a shocking pace. The learning component of it makes it really interesting to watch over time.

    • Michelle J says:

      Does this work for users who use braille or audio readers? While I love all of the visual options above (e.g., the drag/drop, the tic-tac-toe), I don’t see how they’d work for sight-impaired people. That would lead me more to the simple test. Thoughts?

  5. These are fabulous alternatives.

    I loved the drag scissor to the circle to prove you are human.

    Let me see if I can implement something at Online Courses on WizIQ. Given that most of our audience is teachers and students, maybe it will be well received.

  6. I think the simple task option could be the way forward , I really like that idea, Simple but very clever.

    • Dominic says:

      While I find this to be obnoxious and a nsnuaice for consumers, I guess it is simply a fact of advertising. Advertisers are constantly looking for ways to exploit people and throw advertising into people’s faces where it cannot be ignored. Personally I find this tactic ridiculous, because it would honestly make me resent a particular product. If i had to type in something like I love Dr. Pepper every time I attempted to purchase event tickets or post a blog comment on this very website, I would hate Dr. Pepper. Isn’t it enough that they have their advertisements everywhere we go; be it search engines, the highway, social networking sites and countless other places that we will inevitably come across advertising?! Though this can be considered a clever little advertising tool, I personally disagree with it and think that advertisers need to be more clever if they are forced to stoop to such forceful levels to get their message across. It is their job to come up with appealing advertising, not to be lazy and take the easiest way out. If it is going to come to that, why even hire advertisers in the first place?

  7. Marco says:

    Very, very interesting article. I’d love to translate it, of course under your conditions.
    Let me know if it is possible.

    Anyway the skill testing question doesn’t require Superman, it’s trivial: that partial derivative of a constant is zero for any X

  8. Joe C says:

    Here’s a couple more options.

    1. Use out of band authentication. It’s not necessarily cheap but you could use a service like Telesign to call a phone or send a text message with a code. You would only need to do this once to prove someone was really a human.

    2. Leverage Facebook. They do a pretty good job ensuring that you don’t create bulk accounts. If you leverage Facebook Connect or just their comments widget you can be pretty sure that the posts are going to come from humans.

    • Facebook authentication is great for website operators, but a bad deal for consumers. Facebook’s systematic rapine of personal privacy is conducted on a scale beyond the wildest dreams of avarice of the much-maligned cookie tracking vendors like double-click. I think that the fallout from their widespread penetration and complete lack of respect for consumers has only begun to manifest; but it ultimately must be addressed or else consumers will become disaffected and suspicious of all online vendors.

      • Simon says:

        Yeah, that’s a non-starter for me. I’m happy using Facebook itself, but there’s absolutely no way I’m going to use it for authentication across the rest of the web. Wouldn’t work anyway, since I’ve taken steps to block Like buttons, and anything else loading from Facebook domains from non-Facebook pages.

  9. Recent news sources claims that “authentication solutions such as passwords, CAPTCHA and tokens have been shown to be vulnerable to attack.”

    Therefore, to fight against such vulnerable attacks on our personal data TeleSign Corp. offers an intelligent authentication via the phone. Combined with PhoneID, telephone verification forms a robust out-of-band authentication method. Read more about telephone authentication system at http://www.telesign.com/ or follow them on Facebook.

  10. Himagain says:

    It has to be a rough day for me to miss this email! :-)
    Captcha concepts are a good idea, but nobody seems to pay attention to their qualified use, vis:
    1. Does it matter if they get access?
    2. Can it cost you money?
    2(a) How much for what cost?
    3. What is the cost to you of abandoned visits?

    4. What about simply requiring verification by address?
    4(a) Is it costly vis above questions?
    4(b) Do you really WANT people who won’t verify for access?

    This point (4b) seems to be the real crux for 99.999999% of Webslaves.
    To me, the key is not wasting time in business and as I taught in the real world for many years:
    focus on your 10% top/good customers and send the bottom 10% to your opposition.
    (The old applied 80/20 rule)

  11. phil marcus says:

    Solve media is a really cool technology

  12. TheItalian says:

    Another alternative is to use a field and hide it with CSS. The robot will fill it, but a human will not even know it was there. Then check if it’s filled, then it’s spam. Easy.

  13. Edgar says:

    I use two methods in addition to the honey pot method.

    1. Check the source and destination IP addresses, they must be the same. This stops remote submission of the form details.
    2. Fill out an invisible element when the user clicks submit with a predetermined value.

    For larger sites it may be worth considering services such as Akismet, which help stop “sweatshop” spammers.

Leave a Reply

© 2014 Get Elastic Ecommerce Blog. All rights reserved. Site Admin · Entries RSS · Comments RSS