Using CAPTCHAs
CAPTCHAs are used to try and distinguish between humans and bots (automated software). They do this by having users perform a task to prove they’re human - for example, decipher and enter jumbled up text before submitting a form.
There are security, privacy, usability and accessibility issues associated with CAPTCHAs. You must not use them unless you both:
- limit their use to cases where you detect suspicious activity (for example, you detect bot-like behaviour and need to test whether the user is human)
- have evidence to show that alternative solutions will not work for your service
Why CAPTCHAs are problematic
CAPTCHAs will make your service more difficult for some people to use, including disabled people.
Third-party CAPTCHA services could also introduce additional risks, including:
- security issues - if your provider’s security is compromised, your service and its users may also be affected
- privacy concerns - for example, third-party services might set cookies, collect analytics and track users across multiple sites
- performance issues - if you rely on a supplier, it means you’ll be affected by any performance problems or outages they experience
Your service could still be at risk, even with a CAPTCHA in place. Advances in computer imaging and the use of CAPTCHA farms means some bots will still be able to access your service.
Alternatives to CAPTCHAs
Many of the risks that CAPTCHAs are aimed at reducing can be addressed in other ways including:
You can discuss alternatives to CAPTCHAs with the frontend community.
Related guides
You may also find the following guides useful:
- Last update:
-
Guidance first published