High-Friction & Low Friction CAPTCHA

What types of CAPTCHA are there?

Today, there are two main types of CAPTCHAs:

  • High-Friction CAPTCHA
  • Low-friction CAPTCHA

If the user has to actively perform a task, this is referred to as a high-friction CAPTCHA due to the high-friction verification methods.  

If the verification runs in the background and the user is not required to complete a task to prove that they are human, this is referred to as a low-friction CAPTCHA.

The term low-friction verification method is primarily aimed at the fact that the check to be completed does not directly represent any added value for the user. It is a hurdle that primarily costs time until the user can reach their actual destination.

Examples of high-friction CAPTCHA

Art des CAPTCHABeispiel für die AufgabeAnbieter
Text-based CAPTCHA Character recognitionCaptcha.guru, CaptChair, Text Disguise, RainCaptcha, MTCaptcha 
Image-based CAPTCHAImage labeling taskConfident CAPTCHA, PhotoCaptcha, 2Captcha API, WebAppz, hCaptcha, ReCaptcha 
Audio-based CAPTCHAInput of letters heard Datadome, Seznam Captcha 
Mathematical or word-based CAPTCHASolving math problems, answering questions, completing sentencesVersCaptcha API
Game-based CAPTCHAAssembling a puzzle piece into an apple picture where the piece is missing, rotating a pictureKeyCaptcha API, VouchSafe API, GeeTest CAPTCHA, Rotate Captcha
Social Media-based CAPTCHASign-in via Google, LinkedIn, Facebook, Single-Sign-On (SSO) Google
Payment-based CAPTCHAPayment by means of cryptocurrencyCaptcha Coin API
Telephone-based CAPTCHASending a codeRingcaptcha
Advertising-based CAPTCHAEntering a textSolve Media, Ericsson Captcha

What is a low-friction CAPTCHA?

In view of the growing criticism of conventional CAPTCHAs, more user-friendly CAPTCHA solutions are increasingly being developed and made available. In some cases, these are methods that have been known for some time, but which in combination help to protect against bots.

Examples of low-friction CAPTCHA - frictionless verification

At best, frictionless verification procedures are invisible or imperceptible to real people, while it is difficult for bots to pass this check.

  • User activities
  • Proof of work
  • Spam honeypots
  • Lockout time / time blocks
  • IP white list / blacklisting IPs

User activities

The user's movements on the website are tracked and analyzed. An attempt is made to identify whether the clicks and other user activities on the website correspond to human behavior or are more likely to be attributed to a bot. 

Proof of Work

Proof of work is one or more calculation tasks that the client browser has to solve in the background so that the CAPTCHA check is passed. This check is usually not noticed by the user as they are busy with their actual task at the same time, such as filling out a registration form, composing a message, etc. This proof of work costs computing power. This proof of work costs computing power and time and therefore puts a damper on bot activities that are trimmed for efficiency.

Spam honeypots

This is a case for simple bots. Form fields that are invisible to the web user are built in so that they are not filled in by real people. In contrast, bots that are programmed to fill in all fields of a form are also lured into filling in these invisible input fields. This gives the bots away and prevents the data from being sent. 

Lockout time / time locks

Bots can fill out forms many times faster than humans. In order to be able to send as many spam messages as possible, these bots are optimized accordingly. Time locks can be used to hinder this action. If a bot sends one or more requests to the web server or application faster than the specified time block, the bot is recognized and data acceptance is rejected. Human users of the website usually do not notice these time blocks, as they need longer to enter the data anyway. The use of a timer for completing a form can be a useful additional measure alongside other anti-bot defense methods. 

IP White List / Blacklisting IPs

With IP White List, the captcha is completely invisible to users coming from Internet IP addresses that correspond to a defined IP whitelist.  The opposite form - blacklisting IPs - is the creation of blacklists for IPs. Here, IPs from certain geographical regions are excluded or requests from these regions are heavily throttled or limited.