fbpx

Book a Call

I am not a robot

I’m Not a Robot – reCaptcha vs Turnstile – Which Captcha Wins?

Captcha technology has moved on. By and large, you no longer see static images with grunged up-text in them: in the endless security arms race, hackers have more or less worked out how to read most of them (even when we can’t!).

Everyone seems to hate captchas, and, in this office at least, a poor one will result in browse abandonment. People just cannot be bothered. So, if you want to retain your users but need to use a captcha, we recommend you use an invisible one. A modern captcha will analyse your behaviour as you use the page (and assess just how human you are) in the background.

The current market leaders are reCAPTCHA 3 from Google and Turnstile from Cloudflare.

Both are free for most users and far better than any normal developer could patch together in a month of Sundays. Don’t be tempted to code your own. The only real question should be “Which captcha should I use?”

Google reCaptcha?

Google’s reCaptcha has been around for a long time, and this third iteration is, most of the time, pretty unobtrusive.

Captcha wars - Google reCaptcha 2 I'm not a robot
Google reCaptcha 2 – I’m not a robot

Whereas reCaptcha 2 featured the familiar I’m Not a Robot checkbox, most of the time you won’t even know reCaptcha 3 is even there.

The main clue is a small tag that appears at the bottom right of the screen and expands on clicking. Leaving this tag visible is part of reCaptcha’s Terms and Conditions of use. Too bad if you have a chat widget you want to place there.

Captcha wars - Google reCaptcha 3 branding
Google reCaptcha 3

reCaptcha 3 will only intervene if it deems your behaviour to be too “robot-like.” Pasting content into form fields can sometimes set it off. Typically, you’ll get a popup asking you to identify the bicycles or somesuch.

Google updates its capture challenges frequently and, sometimes, these can be quite hard to complete. But, conversely this means the challenges are becoming more secure all the time.

Google documentation is extensive and it is relatively easy to implement, even on entirely self-coded sites.

or Cloudflare Turnstile?

Designed from the start to be unobtrusive. Cloudflare’s Turnstile runs entirely in the background – each form receives a little animated sticker to show the submission status, but there is no active user input. Users love that.

Captcha Wars Cloudflare Turnstile
Cloudflare Turnstile badge

If your form is an immaculate, pixel-perfect sliver, you may not appreciate a large, non-branded graphic. But these compromises are the crosses we developers must all bear.

It’s a little harder to set up but integrates well with other Cloudflare services. You need a Cloudflare account to use it, but that is free. The captcha itself is entirely free to use.

Captcha Features Compared

Google reCAPTCHACloudflare Turnstile
Annoyance FactorMost of the time, reCaptcha works in the background. When manual challenges are required, it can be difficult.Works entirely in the background.
BrandingAbsolutely positioned branding does not interfere with the design but does occupy some screen real-estate which may already be contested.Graphic is inserted into the page layout, disrupting some designs.
Ease of UseWorks with any html form and almost any server-side technology. Active community support.Works with all websites and CMS platforms but it is more likely that some coding may be required.
Cost10,000 free challenges per month. $8/pcm thereafterFree

So Who is the Winner?

Google and Cloudflare of course!

They get all that lovely data, freely given, which allows them to analyse how users interact with websites and fashion better products.

In the early days of captcha, we all spent a long time analysing garbled words. This, in time, taught the robots a great deal about character recognition. The robots are good at that now and those captchas are no longer secure.

The very process of convincing computers that we are not robots is teaching those companies how to impersonate human behaviour.

Robots are getting harder to tell from humans all the time.

Enough of the Sci-Fi, Which Captcha is Better?

Research suggests that Turnstile is less secure and allows more spam through. Anecdotal evidence supports this, though in most cases it’s fine.

For a new website, we normally install CloudFlare Turnstile; the user experience is better and it is entirely free. For the majority of people, it works just great. But once or twice in the last year or so, we have needed to move clients to reCaptcha.