Thoughts on whether Captcha can help or harm your user experience

What is Captcha exactly?

Anyone who uses the internet regularly, will be familiar with Captcha. It's those annoying letters that ask us to prove our humanity and show we’re not robots? 

British comedian Michael McIntyre hilariously summarised the pain they cause in his stand up.

Sadly, they are no laughing matter when they negatively affect your form’s conversion rate.

Captcha stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. It was designed to save our websites, and the forms within them, from being inundated by SPAM. 

In internet terms, SPAM is the devil’s work. It blocks up your eCommerce team’s inbox; distracting them from addressing genuine sales enquiries or other revenue generating duties. At its worst, SPAM can result in bots swamping your systems, causing severe operational issues within your website and back-end as well as increasing the risk of fraud and other criminal activities. 

So even though CAPTCHA is a source of irritation to web users, it’s actually here to save us from a life spent deleting hundreds of SPAM emails and keeps our personal data safe from those out to manipulate it for their duplicitous gain. 

In this sense, CAPTCHA poses a dichotomy for both form designers and web business owners alike: 

On the one hand, we know it detracts from the User Experience (UX) as consumers don’t like it.

But on the other hand, Captcha is a great way to protect privacy and provides a web experience free from the usability issues that SPAM creates. 

So how can we get this balance right? 

Luckily for us, as technology advances, so do better iterations and alternatives to Captcha. 

If you read this article, you’ll understand what should work best for your web form optimization, your customers and your business operation as a whole.  

Most importantly, the information should enable you to achieve the right balance between keeping your web-estate and customer data safe, whilst simultaneously creating an enhanced user experience and protecting your conversion rate. 

As user experience is a key component of your brand, it’s a job you want to get right. 

‍

What are the Pros and Cons of using Captcha? 

Captcha is quite effective as an anti-spam tool. It’s free, easy to install, and provides websites with an extra layer of security in 3 areas: 

•     Protecting website registration from receiving useless information and bot accounts
•     Preventing comment spam in the form of advertisements and unsolicited messages
•     Demonstrating to customers that you take security precautions seriously when it comes to sensitive information

Without Anti-Spam protection in place, a person who is active on email (The receipt of 10 emails per week qualifies as active) can receive up to 160 SPAM emails EVERY SINGLE WEEK! 

This ‘electronic waste’ can take someone 5-6 hours every month to dispose of it all. Plus, as SPAM can be the gateway to fraud and phishing, it’s estimated it accounts for global losses of tens of billions of dollars.

However, like most things in life, Captcha comes with its downsides. 

Esteemed UX Designer and Digital speaker Harry Brignull said: 

“Using a CAPTCHA is a way of announcing to the world that you’ve got a spam problem, that you don’t know how to deal with it, and that you’ve decided to offload the frustration of the problem onto your user-base. As statements go, that’s pretty lame”.

If your customers are unhappy with having to do a Captcha test, the likelihood that they’ll up sticks before making a purchase is increased. 

A study conducted by Animoto found that web forms without a Captcha achieved 64 percent conversion rate while a form with a Captcha had a 48 percent conversion rate. So by adding a CAPTCHA, a company can stand to lose almost a third of conversions from their web forms or checkouts. 

Whilst we understand the financial downside here – i.e. you miss out on some sales - we know the priority should be to create a worldwide web that’s as safe and as free from corruption as is possible. It’s down to us, the web experts to put the right systems in place to protect our customers and our businesses from corrupt practices. 

Therefore, the question to answer is which Anti-Spam system will help you achieve the right balance of: prioritizing your user’s privacy & safety   +   creating a seamless user experience   +    keeps any compromises to your conversion rates, at a minimum? 

It could be that using two or more of the systems outlined below is the right way to go, to attempt to keep both your web users happy and your Financial Directors satisfied with your financial performance. 

Let’s take a look at all the options you have at your disposal. 

The options for Anti-Spam protection for your forms: 

Re-Captcha 

Google's ReCAPTCHA service started as a research project out of Carnegie Mellon University in 2007. 

Google acquired the project in 2009 ,providing companies with ReCAPTCHA for free, in exchange for allowing the data from the service to be used to train its visual identification systems. 

Zuko currently use ReCaptcha on our own website, so you know we like it. 

Unlike the illegible Captcha of old, it’s simple and easier for users to see. 

It asks you to click a box to confirm that you aren’t a robot and then scans the submitter to confirm. If there’s any doubt, it then shows you an image (as below) to verify that you are indeed a human. 

Google recently launched Version 3 of their Captcha offering dubbed "invisible reCaptcha". They use data points to assess how a user interacts with a page to determine whether the user is a bot or a human. No check boxes on the users side are needed: everything is invisible. By looking at your behavioural traits like how quickly you filled the form out, whether there were any spelling mistakes or mis-selections at various points, this all demonstrates that you are a human. We all make mistakes, robots less so.

But before you stop reading this article and start shouting “let’s go with invisible reCAPTCHA – job done” – you need to know this: 

Whilst this undoubtedly provides a great leap forwards on the customer experience front, many websites, (Zuko included) are holding off installing this version until they can be completely satisfied the Google behaviour tracking system doesn’t compromise privacy protection. As the technology they use to track your behaviour including whether you have a Google Account, there are concerns about what is being done with that data. Watch this space. 

hCaptcha

hCaptcha is a credible alternative to the internet giant’s services. These guys are “the world’s most widely used independent CAPTCHA service” with about 15% market share. 

There are a number of positives about their solution, the main point being their ability to achieve that all important user-privacy. They don’t need to collect tonnes of data to identify bot-traffic or behaviours, as other options do. 

hCaptcha support Privacy Pass and aim to reduce the frequency of CAPTCHAs being required in the first place. They claim to:

• Collect the minimum necessary amount of personal data
• Be transparent about what data they collect and how & why they need to use it
• Have a robust solution for the visually impaired and other users with accessibility challenges

While these are a very big selling point against Google’s “invisible Recaptcha”, it is a paid service so there are real costs involved.

They also have the added bonus that their tests are more fun and their imagery more user friendly:

If you are someone who likes to consider the long-term as well as the short and medium term, then it’s worth remembering that a day will come where you’ll need an alternative means of SPAM protection, other than Captcha. We’ve been in a race against the Bots and AI over the last 20 years as machines try to get up to speed with human capabilities. 

Jason Polakis, a Computer Science Professor at the University of Illinois at Chicago, say’s they’re almost winning the race now: 

“Machine learning is now about as good as humans at basic text, image, and voice recognition tasks. In fact, algorithms are probably better at it; We’re at a point where making it harder for software ends up making it too hard for many people. We need some alternative, but there’s not a concrete plan yet.”

If you’d rather move away from the classic ‘Captcha’ methods of tests now, you could consider one of these methods instead: 

The Double opt-in

In essence, the email confirmation. 

A user’s registration on a web form / checkout is only verified when they click on a link your website sends them to their personal email. 

The main benefit of this option is that it almost eliminates SPAM entirely and provides you with a genuinely engaged audience (as you know the user in question is more ‘committed’ as they’ve provided you with their data and taken the time to do the task). 

There are however, a couple of downsides: 

1. You need to build a mechanism within your website system to automatically send a user an email to confirm. This will mean a significant investment in some form of marketing automation software. 
2. Studies have shown you could see a 20% decrease in the number of sign-ups compared to single opt-in methods. This is due to the fact some people don’t like providing their personal email address, OR just that they simply forget to look for your link and it disappears off into their SPAM, which is a tad ironic.  Having a DMARC record enabled will increase the email's credibility and help avoid the Spam folder.

As you stand to lose one fifth of your users with the double opt-in, we suggest you only consider this as an option if you have a fundamental need such as:

• You are processing extremely sensitive data
• You’ve experienced deliverability issues with your database in the past (i.e. have been logged as spam)
• You know you’re a potential target for malicious intent - this is an excellent way to keep the professional spammers and fraudsters at bay. 

‍

The Honeypot Method ‍

The honeypot method describes a way of coding fields on your web forms that are invisible to the human eye but that the bots detect and fill-in immediately. Any submissions which contain these fields as completed, are moved straight into trash. 

Whilst this sounds like a brilliant solution, there are limitations with it.

The first is related to autofill browsers. If a user clicks on autofill, the browser will fill out the ‘invisible’ fields anyway. Thus causing some human submissions to be moved straight into trash and giving you one - now very disgruntled - customer. 

The second limitation is that just like with the Captcha tests, bots are refining their techniques so they’re able to identify and ignore the honeypot traps. The effectiveness of this method will decrease over time as the bots learn to spot the potholes.

That said, the method still provides some degree of protection. If you’re against using any form of Captcha, it's absolutely better than nothing.

Social sign-up 

A foolproof way to outsmart bots is to offer a social sign-up. Bots don’t have social media or email accounts of their own!

By integrating with a third party, mainly companies like Facebook, Instagram, Linked In, Twitter or Google and Microsoft, you can verify the users humanity without the need for them to input their personal data again. 

‍

‍

The key positives here are that:

• Many people are reticent to provide their personal details. Blue Research report 86% of people are bothered by the need to set up new accounts on websites and 54% may leave a site and go to another rather than complete another registration form
• Social sign-ins negate the need for a user to have yet another password for yet another website, meaning they are more likely to return to you again if your process favours simplicity. 
• Integration with social media means it’s easier for ‘shares’, which can be important for businesses that value word of mouth.  
• The data a user has already provided these channels with is verified. Assuming all the correct permissions have been set up, you should get a brilliant quality of data to harvest to your CRM when opting for this method. 
  

While we’re fans of social sign-ups in the right context, there are a couple of things you need to be mindful of.

• Age group variance. Data from LoginRadius’ social platform showed that only 11% of users aged 50 + opt for social sign-ups, compared to 38% of those aged 18-25. If your products or services are aimed at an older demographic social integrations may not be the right method for you. 
  

• B2B Vs B2C. Speero, the CRO experts note that adoption rates are significantly lower for B2B enterprises than for those in the B2C market due to business users’ reticence to share their personal details in this context. The attention on GDPR means that employees are more cautious than ever of supplying businesses with their email addresses as they wish to keep endless sales communications to a minimum. B2C businesses on the other hand, do seem to benefit from social sign-ups, although we’d recommend using an email sign-up too, to maximise your possible audience. 
  

As you can see, the question of whether you should use CAPTCHA in your web forms isn’t straight forward. You need to establish what will work best in serving the users visiting your form whilst maintaining your conversion rates. If you see that genuine form registrations drop off a cliff at the point a CAPTCHA is introduced, then you need to look at alternatives. Best practice should involve trialling different methods and then A/B testing the impact on your conversion rates over time and with a few tweaks here and there. 

If you’d like any advice on what you should do next, please get in touch, we’d love to help.

For more guidance on common form questions and high impact tips, check out section two of Zuko's Big Guide to Form Optimization and Analytics.