Beta This is new guidance. Complete our quick 5-question survey to help us improve it.
CAPTCHAs are used to try and distinguish between humans and bots (automated software). They do this by having users perform a task to prove they’re human - for example, decipher and enter jumbled up text before submitting a form.
There are security, privacy, usability and accessibility issues associated with CAPTCHAs. You must not use them unless you both:
- limit their use to cases where you detect suspicious activity (for example, you detect bot-like behaviour and need to test whether the user is human)
- have evidence to show that alternative solutions won’t work for your service
Meeting the Digital Service Standard
To pass point 12 (make sure users succeed first time), you’ll need to explain how you’ve made your service easy to use.
Why CAPTCHAs are problematic
CAPTCHAs will make your service more difficult for some people to use, including people with disabilities.
Third-party CAPTCHA services could also introduce additional risks, including:
- security issues - if your provider’s security is compromised, your service and its users may also be affected
- privacy concerns - for example, third-party services might set cookies, collect analytics and track users across multiple sites
- performance issues - if you rely on a supplier, it means you’ll be affected by any performance problems or outages they experience
Your service could still be at risk, even with a CAPTCHA in place. Advances in computer imaging and the use of CAPTCHA farms means some bots will still be able to access your service.
Alternatives to CAPTCHAs
Many of the risks that CAPTCHAs are aimed at reducing can be addressed in other ways including:
You can discuss alternatives to CAPTCHAs with the frontend community.
You may also find the following guides useful:
- Published by:
- Technology community (frontend development)
- Last update:
Guidance first published