Did you know that bad bots cause billions of dollars in financial losses each year? Bot fraud is an undeniable threat to the worldwide web. Fraudsters have been exploiting systems with automated attacks since the early days of the internet, and CAPTCHA has been the key solution to stop the relentless bot attacks by telling bots and humans apart.

The fight has never been one-sided however, backed by massive financial motivation and advancing computer technologies, fraudsters found ways to bypass or crack CAPTCHA measures, leaving the ecosystem vulnerable to bot attacks. In turn, defenders had to get creative with their CAPTCHAs to stop the alarming bot threat.

To understand how to defend ourselves today and foresee the threats of tomorrow, first, we must look at the past. Over two decades of confrontation and billions of dollars lost by under-prepared victims, CAPTCHA has evolved in 3 waves to protect the internet from bad bot threats.

  • First Generation: Standard CAPTCHA 
  • Second Generation: Gamified CAPTCHA
  • Third Generation: No-Knowledge CAPTCHA

First Generation: Standard CAPTCHA

The first generation of CAPTCHA had a simple logic: Superiority of humans on recognizing twisted and warped text letters over machine programs.

By introducing noise in the form of different widths, height, background patterns, borders, and so on, text letters would become impossible to be recognized by OCR(Optical Character Recognition) technology. By presenting challenges in the form of recognition of such noisy characters, automated programs could be stopped with ease.

First Generation Standard CAPTCHAs

These text-based CAPTCHA challenges were relatively easy to solve for humans in the early days of the internet. Yet, with the advancements of AI technology along with OCR systems, the machines got better at recognizing these noisy characters. As a result, the text-based CAPTCHA challenges had to be increasingly difficult to keep machines out. The poor user experience of text-based CAPTCHAs was tolerated due to the security they have provided, but this view had drastically changed in 2014 when google pitted one of its machine learning algorithms against humans to solve the most distorted and difficult text-based CAPTCHAs. The result was humans were only able to solve 33% of the challenges successfully while the computer had an accuracy of 99.8% in recognizing the distorted texts.  

Text-based CAPTCHAs Are Trivial For Bot Mitigation

No matter how distorted a Standard CAPTCHA is, it’s easy for sophisticated bots and hard for all humans

The Second Generation: Gamified CAPTCHA

The second generation of CAPTCHA had left the text-based input approach for more innovative challenges that deemed it very difficult for machines to bypass at the time. These challenges included logic puzzles, visual comparisons, movement-based CAPTCHAs, or math challenges. Even though the second generation of CAPTCHAs had looked very different from the first generation, the logic behind the challenges stayed the same; Superiority of humans' cognitive ability over machine programs. This time, on recognizing images, numbers, or various objects.

If a human can pass a challenge, a machine learning algorithm can be trained to pass it too

Techniques such as reinforced learning have been used successfully to crack the CAPTCHAs of this generation. When the only way of defense is to increase the difficulty to recognize the images and objects to solve a challenge, the average CAPTCHA solving time has increased dramatically again, with lots of frustration emerging from the end-users.

As the battle between site owners and spammers continued, users were the real losers and one thing became clear. The one-dimensional logic behind CAPTCHA was inherently paradoxical as the AI and machine learning technology has advanced, the challenges had to be increasingly harder thus humans were fighting a losing battle. 

Third generation: No-knowledge Advanced CAPTCHA

As challenging machines with such cognitive tasks proved ineffective, the no-knowledge CAPTCHA has taken the human verification process into a new dimension by introducing advanced risk analysis into the equation. With no requirement for human thinking, no-knowledge CAPTCHAs do not interrupt user operations and provides a much better user experience.

 The third generation CAPTCHA is based on the comprehensive decision-making between the inherent biological characteristics of humans and the environmental information of the operation.

GeeTest CAPTCHA risk control engine analyzes the biometric and environmental data to determine whether the user is human or a bot

In third-generation CAPTCHAs, the magic happens in the back-end where the risk control engine analyzes the behavior characteristics of the visitor operations including factors such as typing speed, cursor movements, and rate of scrolling as well as the users’ environment information such as the device fingerprint and device reputation to determine whether to make a secondary judgment by presenting a challenge where further data about the users' operation can be collected or to block the operation directly.

In third-generation CAPTCHA, it is not about completing the challenges, it's all about how a challenge has been completed.

The idea of the first and second-generation CAPTCHAs was to provide a challenge that machines couldn’t pass. Advancing AI and computer technologies gave machines the ability to pass any form of the challenge we could throw at them. User experience is an essential and limiting factor for the challenge difficulty; the logic behind the CAPTCHAs had to change. The third generation CAPTCHAs have brought the fight to another dimension by analyzing how the challenge is answered instead of merely checking whether the answer is correct or not.

The challenge presents the opportunity to collect further data about the visitors’ biological behavior, which allows challenges to be less difficult. The result is a smooth user experience.


Bot threats got significantly more sophisticated with advancing AI technology over the years, making CAPTCHAs of the previous generations obsolete. History shows a clear pattern that for every measure humans created to stop bots, there came a smarter bot. How long we got before the no-knowledge CAPTCHA becomes obsolete? Or maybe we should look elsewhere to find a solution to the decades-old bot problem? Find out on “Future of CAPTCHA Technology | Threats & Safeguards.” 

Start your free trial
Over 320,000 websites and mobile apps worldwide are protected by GeeTest captcha