Bot Detection

hCaptcha vs reCAPTCHA: A Comparison

November, 10, 20229 min Read

The purpose of CAPTCHAs is to help websites block automated spam. By asking website visitors to perform a short task—such as clicking on images showing a particular object, or typing the letters or numbers displayed in a blurred image—businesses can help to defend their website from bots and keep good users safe from attack.  

Google’s reCAPTCHA is a popular choice, but this free tool has some downsides. So, what kind of alternatives are there to Google’s answer to CAPTCHA? In this piece, we’ll look at hCaptcha vs reCAPTCHA, as well as the Arkose Labs alternative. 

What is Google reCAPTCHA?

reCAPTCHA is Google’s own version of the CAPTCHA technology. In fact, you have probably encountered Google reCAPTCHA several times already. It’s free for many websites and applications, whereas enterprise users pay for the service based on the number of reCAPTCHAs they are using. 

How Does reCAPTCHA Work?

Google’s reCAPTCHA v2 asks a website visitor to check a box declaring “I am not a robot.” In some cases, that’s the end of the CAPTCHA challenge. Other times, a user might be asked to perform another task, like clicking pictures on a grid according to whether they meet certain criteria.

You may not be aware of whether you’ve interacted with Google’s reCAPTCHA v3, because this newer version does not necessarily present the user with a puzzle to solve. Rather, it runs adaptive risk analysis in the background, designed for friction-free user experience, while alerting webmasters of suspicious traffic. 

reCAPTCHA v3 makes a judgmentand assigns a risk score—on whether the user is a person or a bot. If there’s not enough information for reCAPTCHA to know that there’s a human at the other end, then a puzzle—such as those that we’ve seen in reCAPTCHA v2—might be presented. 

Good question! GDPR requires an organization to have a legal basis to process personal data. Because reCAPTCHA uses cookies and personal data to calculate risk scores, no version of reCAPTCHA is GDPR compliant

But what does it really mean if cookies are playing a part when it comes to reCAPTCHA assessments? It could give Google a good deal of insight into user behavior online, based on the websites and individual web pages that they visit, without the user necessarily being aware of this.  

What is hCaptcha?

hCaptcha is an alternative to reCAPTCHA, and it also is free for non-enterprise customers. hCaptcha requires website visitors to label images, which is notable because hCaptcha parent company is an image labeling company, and data vendors buy the labeled data obtained from the widget. 

Because of these manual processes, hCaptcha uses less data to run its service than Google does, but hCaptcha also utilizes cookies. Each user's unique identification is stored in one of these cookies, which may allow hCaptcha to follow users across websites that employ it.

How does hCaptcha Work?

Regular website visitors must manually complete an image classification task based on a series of images using hCaptcha. It can be quite difficult because hCaptcha's labeling assignments are frequently more difficult than reCAPTCHA's. Enterprise customers may use an invisible version of the Captcha, but it still requires the user to manually solve a puzzle if not enough user data can be collected to determine whether the visitor is a human or a bot.

Is hCaptcha GDPR Compliant?

hCaptcha is a US-based firm, like Google, and it is impossible to ensure that user data will never leave the EU. In contrast to reCAPTCHA, hCaptcha makes clear in its privacy statement what information is gathered, used, and shared with other parties, including other US businesses. 

If you collect any data to which the European Data Protection Regulation applies, it is a good idea to conduct due diligence to ensure that any CAPTCHA solution you choose meets all requirements. 

Can Bots Beat CAPTCHAs?

Unfortunately, bots can sometimes beat CAPTCHAs. The reality is that when it comes to distinguishing extremely high-risk traffic from extremely low-risk traffic, most real-time bot detection tools are up to the task. 

But the problem comes when these tools need to figure out what to do with traffic that falls in the middle. Unsurprisingly, bots are getting better at mimicking human behavior.

In the cases where a challenge is presented to a user, such as the picture grid that is sometimes displayed following the “I am not a robot” checkbox in reCAPTCHA v2, it might initially seem that a machine wouldn’t be able to solve the puzzle. But fraudsters are mastering the development of more intelligent bots that use machine learning to identify the answers to puzzles, even in cases where it is commonly assumed that only humans can pass them. Image recognition software is improving every day, making it cheaper and easier for bad actors to build scripts that can sneak past CAPTCHA challenges. 

Fraudsters have ways to pass CAPTCHA challenges at scale. For example:

  • They use automated breakers that use cookie creation and token harvesting. 
  • They use IP proxy services and run attacks in parallel to maximize the returns. 
  • They can maximize ROI by paying click farms and sweatshops at nominal costs, to pass the visual challenges at scale.
  • Advancements in machine vision technology are helping develop automated solvers that can break the visual challenges more easily.

hCaptcha or reCAPTCHA: What to Choose

In terms of functionality, reCaptcha and hCaptcha are similar. While hCaptcha is more focused on picture classification jobs, and thus significantly more private, neither is very accessible to persons with disabilities. hCaptcha needs users to manually solve a challenge, especially on the free tier. Furthermore, neither reCAPTCHA and hCaptcha are GDPR compliant. 

Choosing which CAPTCHA solution to use is an important decision for your business. Your choice will determine how successfully fraudsters will be able to attack your business and will impact the experiences that good users have when using your website. 

In fact, there are serious downsides to any CAPTCHA solution, including:

  • Damaged user experience, and lowered good-user throughput due to excess friction
  • Limited visibility to stop bots and click farms
  • Fake new accounts going undetected
  • Manual reviews that cause strain on the in-house team

For all of these reasons and more, a CAPTCHA alternative should be considered.

Arkose Labs: The CAPTCHA Alternative that Stops Bots Permanently

Fortunately, Arkose Labs offers features that reCAPTCHA and hCaptcha Enterprise don’t, like behavioral biometrics, device spoofing detection, fraud farm detections, and insights/real-time logging. The platform is superior to other CAPTCHA products because it evolves as attackers and bots evolve to provide a permanent solution to attacks with long-term deterrence, early detection, real-time attack response, and a vastly superior user experience.

Human or Bot? Arkose Labs Knows Best

Arkose Labs uses proprietary visual images that are rendered in real-time. They can’t be classified or recognized by even the most sophisticated machine vision software, meaning that we create high barriers to entry for fraudsters looking to circumvent challenges at scale.  

Persistent human attackers seek quick wins, and so our solution is designed to stop them in their tracks. The challenge-response mechanism incrementally increases the volume and complexity of the challenges. It means that fraudsters must spend more time and resources to clear challenges at scale. The ROI doesn’t add up, and so they abandon the attack.

Real-Time Feedback from Arkose Labs

A limitation of legacy captures is the lack of feedback and data access. Customers don’t have access to the data collected in their own environments, so can’t use it to help with downstream decisions.

At Arkose Labs, our real-time logging is built to help. We provide detailed logs of user activity and full transparency to the 59 data attributes that are used in risk analysis. This means that you’ll have actionable insights, positioning you for success by allowing you to facilitate immediate adaption to changing attack patterns.

In addition to providing real-time feedback, we’re true partners for our clients. You’ll have access to a dedicated technical account manager, and a hands-on 24/7 Security Operations Center staffed by a team of experts. 

Advanced Bots? No Problem for Arkose Labs

Not all threats to your business come from basic bots, and when attacks are more sophisticated, many legacy CAPTCHA solutions fail. Our context-based enforcement challenges utilize the most up-to-date machine vision innovations to undermine the profitability of the attacks.

Arkose Labs also provides a challenge aimed directly at fraud farms. By requiring the humans working within fraud farms to solve time-consuming 3D challenges, the attacker’s ROI is destroyed. 

Conclusion

There’s no silver bullet for stopping fraud. At Arkose Labs, we know that new threats are always around the corner, and we work that into our strategy. The depth and breadth of our challenge roster ensures that it is expensive and time-consuming to create automated solvers. When there are suspicious spikes in activity, challenge types are swapped out, putting the attackers back to square one. Attackers are more likely to give up when they encounter this type of challenge, and move on to another business using challenges that are easily beaten. 

Arkose Labs provides a targeted attack response, which is tailored to an exact risk profile. We continually research and develop new challenges to ensure we stay one step ahead of attackers, while dramatically improving good user throughput. Plus, our Security Operations Center constantly monitors activity. 

We’d love to show you what Arkose Labs can do. Register for a demo to learn about how Arkose Labs can help you with the unique challenges that you face in your business.