- Published on
CAPTCHA protection: Comparing Google reCAPTCHA, hCaptcha, and Cloudflare Turnstile
If you publish an unsecured form in the wild of the internet, you can be certain of one thing: it will eventually be found and abused by spammers.
You have few options to protect your users from spambots. The easiest option is to add a honeypot field to your form, which usually catches the majority of drive-by spambots. For more advanced protection, you should look into CAPTCHA protection.
In this article, I will explain the principles behind CAPTCHA protection, and provide a short comparison of the best CAPTCHA solutions on the market: Google reCAPTCHA (v2 and v3), hCaptcha, and Cloudflare Turnstile.
What is CAPTCHA?
CAPTCHA stands for the “Completely Automated Public Turing test to tell Computers and Humans Apart”. CAPTCHA is a solution to ensure that only human beings can access a website.
CAPTCHAs have been with us for over 20 years. As the solution evolved over the time, CAPTCHA became a synonym for verification through sequence of letters or numbers in a distorted image. Nowadays, CAPTCHA providers are shifting to passive verifications of human beings without interaction with the user.
We will classify CAPTCHAs according to the need for user interaction. The interaction categories are:
- Active: Active CAPTCHA requires user interaction every time the user wants to send message through the contact form. Providers implements different user challenges, from solving math or verbal problems to searching for cars in images.
- Passive: Passive CAPTCHAs never interact directly with the user am. Some of them return a verification score and let the application decide the threshold. Passive CAPTCHA implementations analyze user's behavior and history of interacting with content on the web, perform time-based checks, utilize proof-of-work or proof-of-space checks.
- Hybrid or Invisible: Hybrid CAPTCHA does background tests in the browser and only if the automated test fails to verify the human being, interaction with the user is required.
CAPTCHA providers comparison
| CAPTCHA Provider | Interaction | Free calls (per month) | Rate limit (calls per second) | Pricing |
|---|---|---|---|---|
| Google reCAPTCHA v2 | Hybrid | 1 million | 1,000 | $1 per 1,000 calls |
| Google reCAPTCHA v3 | Passive | 1 million | 1,000 | $1 per 1,000 calls |
| hCaptcha | Active, Passive, Hybrid | 1 million (Active only) | 1,000 | $99 per month with 100,000 calls, then $0.99 per 1,000 calls |
| Cloudflare Turnstile | Passive, Hybrid | 1 million per site | Not documented | Custom pricing above 1 million calls per month |
Google reCAPTCHA, whether v2 or v3, offers 1 million free calls per month. Between 1 million and 10 million calls per month, every 1,000 calls will cost $1. For more than 10 million calls per month, contact Google sales.
Google also offers reCAPTCHA Enterprise which offers additional features, like password leak detection, fraud detection, SDKs for mobile applications, logs, and real-time metrics. You can check detailed comparison between reCAPTCHA versions. Fundamentally, it's a bit different product, so we've omitted it from this comparison.
hCaptcha is free for up to 1 million calls per month, but only in the Active mode. Hybrid and Passive interaction configurations require purchasing the Pro plan, which costs $139 / month ($99 when paid annually) and includes 100,000 free calls. Above that, every 1,000 calls cost $0.99.
Cloudflare Turnstile is free up to 1 million calls per month. Turnstile is currently in open beta and available as a free tool for all customers. Customers who need additional requests above 1 million calls can upgrade to Enterprise Bot Management with custom pricing.
When setting up the Cloudflare Turnstile widget, you can choose between managed widget which is Cloudflare’s Hybrid interaction mode, or non-interactive or invisible widget which is Cloudflare’s Passive mode.
Under the hood: How is the website secured?
The CAPTCHA verification process is integrated in both frontend and backend part of your application.
The frontend verification part differs depending on the interaction mode. In passive mode, challenge runs in the background and returns a verification token. In active mode, a CAPTCHA challenge is rendered, and once the user passes the CAPTCHA challenge, a verification token is returned.
Regardless of CAPTCHA interaction mode, the verification token is checked on the backend using CAPTCHA verification API.
Here is a sequence diagram of the passive verification process:
Conclusion
With the rise of passive CAPTCHA providers, CAPTCHAs no longer waste users' valuable time and still provide reliable verification that it is a human interacting with a web application.
I have published a harmonized CAPTCHA token verification profile so that you can easily integrate one of the providers into your backend part of your application using Superface OneSDK.
Each provider has its pros and cons, so next time we'll show you how to easily switch between them. Subscribe to our newsletter and follow us on Twitter / LinkedIn / DEV, so you don't miss a thing.