Zuko Blog

Should you use Captcha on your Web Forms? Let's look at the data

Thoughts on whether Captcha can help or harm your user experience

What is Captcha exactly?

Anyone who uses the internet regularly, will be familiar with Captcha. It's those annoying letters that ask us to prove our humanity and show we’re not robots? 

British comedian Michael McIntyre hilariously summarised the pain they cause in his stand up.

Sadly, they are no laughing matter when they negatively affect your form’s conversion rate.

Captcha Form Example
Old School Captcha

Captcha stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. It was designed to save our websites, and the forms within them, from being inundated by SPAM

In internet terms, SPAM is the devil’s work. It blocks up your eCommerce team’s inbox; distracting them from addressing genuine sales enquiries or other revenue generating duties. At its worst, SPAM can result in bots swamping your systems, causing severe operational issues within your website and back-end as well as increasing the risk of fraud and other criminal activities. 

So even though CAPTCHA is a source of irritation to web users, it’s actually here to save us from a life spent deleting hundreds of SPAM emails and keeps our personal data safe from those out to manipulate it for their duplicitous gain. 

In this sense, CAPTCHA poses a dichotomy for both form designers and web business owners alike: 

On the one hand, we know it detracts from the User Experience (UX) as consumers don’t like it.

But on the other hand, Captcha is a great way to protect privacy and provides a web experience free from the usability issues that SPAM creates. 

So how can we get this balance right? 

Luckily for us, as technology advances, so do better iterations and alternatives to Captcha. 

If you read this article, you’ll understand what should work best for your web form optimization, your customers and your business operation as a whole.  

Most importantly, the information should enable you to achieve the right balance between keeping your web-estate and customer data safe, whilst simultaneously creating an enhanced user experience and protecting your conversion rate. 

As user experience is a key component of your brand, it’s a job you want to get right. 

What are the Pros and Cons of using Captcha? 

Captcha is quite effective as an anti-spam tool. It’s free, easy to install, and provides websites with an extra layer of security in 3 areas: 

Without Anti-Spam protection in place, a person who is active on email (The receipt of 10 emails per week qualifies as active) can receive up to 160 SPAM emails EVERY SINGLE WEEK! 

This ‘electronic waste’ can take someone 5-6 hours every month to dispose of it all. Plus, as SPAM can be the gateway to fraud and phishing, it’s estimated it accounts for global losses of tens of billions of dollars.

However, like most things in life, Captcha comes with its downsides. 

Esteemed UX Designer and Digital speaker Harry Brignull said: 

“Using a CAPTCHA is a way of announcing to the world that you’ve got a spam problem, that you don’t know how to deal with it, and that you’ve decided to offload the frustration of the problem onto your user-base. As statements go, that’s pretty lame”.

If your customers are unhappy with having to do a Captcha test, the likelihood that they’ll up sticks before making a purchase is increased. 

A study conducted by Animoto found that web forms without a Captcha achieved 64 percent conversion rate while a form with a Captcha had a 48 percent conversion rate. So by adding a CAPTCHA, a company can stand to lose almost a third of conversions from their web forms or checkouts. 

Whilst we understand the financial downside here – i.e. you miss out on some sales - we know the priority should be to create a worldwide web that’s as safe and as free from corruption as is possible. It’s down to us, the web experts to put the right systems in place to protect our customers and our businesses from corrupt practices. 

Therefore, the question to answer is which Anti-Spam system will help you achieve the right balance of: prioritizing your user’s privacy & safety   +   creating a seamless user experience   +    keeps any compromises to your conversion rates, at a minimum? 

It could be that using two or more of the systems outlined below is the right way to go, to attempt to keep both your web users happy and your Financial Directors satisfied with your financial performance. 

Let’s take a look at all the options you have at your disposal. 

The options for Anti-Spam protection for your forms: 


Google's ReCAPTCHA service started as a research project out of Carnegie Mellon University in 2007. 

Google acquired the project in 2009 ,providing companies with ReCAPTCHA for free, in exchange for allowing the data from the service to be used to train its visual identification systems. 

Zuko currently use ReCaptcha on our own website, so you know we like it. 

Unlike the illegible Captcha of old, it’s simple and easier for users to see. 

It asks you to click a box to confirm that you aren’t a robot and then scans the submitter to confirm. If there’s any doubt, it then shows you an image (as below) to verify that you are indeed a human. 

Google Recaptcha on Form Example
We bet you've all completed one of these!

Google recently launched Version 3 of their Captcha offering dubbed "invisible reCaptcha". They use data points to assess how a user interacts with a page to determine whether the user is a bot or a human. No check boxes on the users side are needed: everything is invisible. By looking at your behavioural traits like how quickly you filled the form out, whether there were any spelling mistakes or mis-selections at various points, this all demonstrates that you are a human. We all make mistakes, robots less so.

But before you stop reading this article and start shouting “let’s go with invisible reCAPTCHA – job done” – you need to know this: 

Whilst this undoubtedly provides a great leap forwards on the customer experience front, many websites, (Zuko included) are holding off installing this version until they can be completely satisfied the Google behaviour tracking system doesn’t compromise privacy protection. As the technology they use to track your behaviour including whether you have a Google Account, there are concerns about what is being done with that data. Watch this space. 


hCaptcha is a credible alternative to the internet giant’s services. These guys are “the world’s most widely used independent CAPTCHA service” with about 15% market share. 

There are a number of positives about their solution, the main point being their ability to achieve that all important user-privacy. They don’t need to collect tonnes of data to identify bot-traffic or behaviours, as other options do. 

hCaptcha support Privacy Pass and aim to reduce the frequency of CAPTCHAs being required in the first place. They claim to:

While these are a very big selling point against Google’s “invisible Recaptcha”, it is a paid service so there are real costs involved.

They also have the added bonus that their tests are more fun and their imagery more user friendly:

hCaptcha Question Images

If you are someone who likes to consider the long-term as well as the short and medium term, then it’s worth remembering that a day will come where you’ll need an alternative means of SPAM protection, other than Captcha. We’ve been in a race against the Bots and AI over the last 20 years as machines try to get up to speed with human capabilities. 

Jason Polakis, a Computer Science Professor at the University of Illinois at Chicago, say’s they’re almost winning the race now: 

“Machine learning is now about as good as humans at basic text, image, and voice recognition tasks. In fact, algorithms are probably better at it; We’re at a point where making it harder for software ends up making it too hard for many people. We need some alternative, but there’s not a concrete plan yet.”

If you’d rather move away from the classic ‘Captcha’ methods of tests now, you could consider one of these methods instead: 

The Double opt-in

In essence, the email confirmation. 

A user’s registration on a web form / checkout is only verified when they click on a link your website sends them to their personal email. 

The main benefit of this option is that it almost eliminates SPAM entirely and provides you with a genuinely engaged audience (as you know the user in question is more ‘committed’ as they’ve provided you with their data and taken the time to do the task). 

There are however, a couple of downsides: 

  1. You need to build a mechanism within your website system to automatically send a user an email to confirm. This will mean a significant investment in some form of marketing automation software. 
  2. Studies have shown you could see a 20% decrease in the number of sign-ups compared to single opt-in methods. This is due to the fact some people don’t like providing their personal email address, OR just that they simply forget to look for your link and it disappears off into their SPAM, which is a tad ironic.  Having a DMARC record enabled will increase the email's credibility and help avoid the Spam folder.

As you stand to lose one fifth of your users with the double opt-in, we suggest you only consider this as an option if you have a fundamental need such as:

The Honeypot Method 

The honeypot method describes a way of coding fields on your web forms that are invisible to the human eye but that the bots detect and fill-in immediately. Any submissions which contain these fields as completed, are moved straight into trash. 

Whilst this sounds like a brilliant solution, there are limitations with it.

The first is related to autofill browsers. If a user clicks on autofill, the browser will fill out the ‘invisible’ fields anyway. Thus causing some human submissions to be moved straight into trash and giving you one - now very disgruntled - customer. 

The second limitation is that just like with the Captcha tests, bots are refining their techniques so they’re able to identify and ignore the honeypot traps. The effectiveness of this method will decrease over time as the bots learn to spot the potholes.

That said, the method still provides some degree of protection. If you’re against using any form of Captcha, it's absolutely better than nothing.

Social sign-up 

A foolproof way to outsmart bots is to offer a social sign-up. Bots don’t have social media or email accounts of their own!

By integrating with a third party, mainly companies like Facebook, Instagram, Linked In, Twitter or Google and Microsoft, you can verify the users humanity without the need for them to input their personal data again. 

Social Sign In Examples
There are a huge amount of options for social sign in

The key positives here are that:

While we’re fans of social sign-ups in the right context, there are a couple of things you need to be mindful of.

As you can see, the question of whether you should use CAPTCHA in your web forms isn’t straight forward. You need to establish what will work best in serving the users visiting your form whilst maintaining your conversion rates. If you see that genuine form registrations drop off a cliff at the point a CAPTCHA is introduced, then you need to look at alternatives. Best practice should involve trialling different methods and then A/B testing the impact on your conversion rates over time and with a few tweaks here and there. 

If you’d like any advice on what you should do next, please get in touch, we’d love to help.

For more guidance on common form questions and high impact tips, check out section two of Zuko's Big Guide to Form Optimization and Analytics.

Looking to improve your form conversion?

Submit your form to get a free health check showing you:
  • Likely friction points leading to abandonment
  • Form elements contributing positively
  • Other areas for UX improvement
Zuko's Big Guide to Form Optimization and Analytics Cover Shot

We wrote the book on form optimization!

"The best book on form design ever written - 80 pages of PURE GOLD"
Craig Sullivan, CEO, Optimise or Die
(No email needed)

More from our blog:

Failed Form Submissions: Optimizing the Submit Button UX
Why failed submissions happen and how to reduce them
Optimizing the phone number field on forms
UX tips to reduce abandonment on mobile and landline form questions
Form UX Design Tips: Best Practice Examples
10 form design patterns that help optimize conversion
8 Tips to optimize your mobile form UX
CRO advice for forms on mobile devices

Zuko is the most powerful form analytics platform available on the market. Find out how to improve your form and checkout conversion by taking a product tour.

zuko full colour logo
Formisimo Ltd, Colony, 5 Piccadilly Place, Manchester, M1 3BR
VAT Number: GB181252425
Registered in England as company number 08859680
New Business: sales@zuko.io
Support: support@zuko.io