Online businesses that want to protect their platforms and their customers are migrating away from traditional CAPTCHA tools like reCAPTCHA due to malicious bots being able to bypass siloed CAPTCHAs (in addition to end-user privacy concerns). Traditional CAPTCHAs are no longer “good enough” protection against today’s sophisticated, powerful bots.

Luckily, transitioning from tools like reCAPTCHA to a fully secure, privacy-compliant, and user-friendly CAPTCHA solution is a quick and easy process.

This guide will explore:

> Drawbacks of Traditional CAPTCHAs

> The New, Higher Standard for CAPTCHAs

> 3 Ways Our CAPTCHA Solves Common reCAPTCHA Problems

> Turning on DataDome’s CAPTCHA

> Simple Steps to Remove Your Traditional CAPTCHA

• • Removing reCAPTCHA
  • Removing hCAPTCHA
  • Removing GeeTest

> Conclusion

Drawbacks of Traditional CAPTCHAs

Lack of Security

Traditional CAPTCHAs are outdated and insecure. Bots and CAPTCHA farms are easily able to bypass reCAPTCHAs, which provide no feedback beyond pass/fail signals—not enough data to refine your security and minimize false positives and negatives.

Even the ones based on scoring systems, such as reCAPTCHA v3, are not ideal because they require significant manual programming. You are left to decide: At which score do you consider the user to be a bot? If the user score indicates it is a bot, what response should it give? Should the user face a challenge? Should you hard-block the request? What happens with false positives? How can you track false positives and negatives, which are not shared automatically by the software?

Most traditional CAPTCHAs, including reCAPTCHA, have no innate way to review false positives or negatives. If a user passes the test, reCAPTCHA assumes they are a human (even though over half of all reCAPTCHAs passed are completed by bots). Humans who don’t pass the test get locked out, and bots who pass get free rein to access the website, app, and/or API. Not only are false positives and false negatives unaccounted for, but the algorithm making the decisions never learns or adjusts based on its mistakes.

Frustrating User Experience

On another important note, traditional CAPTCHAs hurt the customer experience. They are known to be slow, tedious, and irritating. ReCAPTCHA takes an average of 20 seconds to solve, which lowers conversion rates and negatively reflects on your brand.

Breach of Privacy

Last but certainly not least, traditional CAPTCHAs do not always follow privacy laws such as GDPR to protect the rights of end users.

The New, Higher Standard for CAPTCHAs

What makes a good CAPTCHA solution now that traditional options aren’t cutting it anymore? The best use of a CAPTCHA is to combine it with various other detection mechanisms, as one small part of a full bot protection solution, rather than your first line of defense. There are a few other qualities to look for in an effective CAPTCHA solution:

• A CAPTCHA should never be siloed—that is, it should allow transparency for you to review false positives and negatives, and include a complete feedback loop to update responses accordingly. Bots are constantly changing and upgrading, so adequate protection must be able to do the same.
• Data privacy is paramount. Your users and customers should never have to be concerned about whether their personal data is being collected, where it is going, and what it’s being used for when they try to access your website. Traditional CAPTCHAs have been reported to gather personal identifiable information (PII) from end-users and send it to third parties. But the growing consensus is that cybersecurity should not come at the expense of user privacy. A CAPTCHA solution should be compliant with data privacy laws and regulations across the world.
• CAPTCHAs must not obstruct the user experience. From long loading times to accessibility issues, traditional CAPTCHAs are notoriously bad for the customer experience. Look for a CAPTCHA that only shows up when necessary, loads quickly, is easy for humans but hard for bots, and puts accessibility at the forefront—all without compromising the accuracy of its security.

The First of it’s Kind—DataDome CAPTCHA

DataDome’s CAPTCHA is fully built by a security company, not an advertising company—and our goal is always to ensure your business (and your customers’ data) is protected. We believe the best CAPTCHA in the world works alongside a good bot and fraud management solution to keep your customers from ever knowing it’s there.

But for those rare occasions when a customer is presented with a CAPTCHA, it should be one that is focused on optimizing user experience (including accessibility), privacy compliance, and security. We set out to build a CAPTCHA solution for our customers that would fix the problems tied to traditional CAPTCHAs—and according to feedback from our early access customers, we did it!

3 Ways DataDome’s CAPTCHA Solves Common reCAPTCHA Problems

1. Accuracy Without Compromise

Our CAPTCHA is fully integrated with our powerful bot and fraud management solution. With over 25 low-latency points of presence, we respond to 100% of requests rapidly (in under 2 ms), blocking malicious attacks, managing allowed bots, and verifying humans with our industry-beating false positive rate of only 0.01%. Our behavioral detection engine identifies new bot techniques in real time, making CAPTCHA farms and CAPTCHA solve bots useless.

2. Data Privacy Compliance

Our CAPTCHA is compliant with local data privacy laws in North America, EMEA, APAC, South America, and Africa. Privacy is a fundamental human right that must be protected. Enhancing security should not mean sacrificing users’ data privacy. DataDome does not collect personally identifiable information (PII) and the non-PII data we do collect is used solely for detection and security, never shared with any third party, and always stored securely.

3. Fast & User Friendly

If our CAPTCHA is triggered, it works fast. The challenge loads in 0.9 seconds (versus reCAPTCHA’s 2.1 and GeeTest’s 1.8 seconds) and takes only 2.2 seconds to solve on average.

We also prioritize the accessibility of our CAPTCHA. Although most CAPTCHAs lack accessibility, the Valentin Haüy association’s Accessibility division found DataDome’s CAPTCHA very well designed for the visually impaired, with an audio challenge available in 13 different languages so far (versus reCAPTCHA’s 8 and GeeTest’s 7).

Turning on DataDome’s CAPTCHA

Switching from your traditional CAPTCHA to DataDome’s CAPTCHA is easy. In just a few steps, it will be in with the new and out with the old.

For Current Customers:

1.   Log into your DataDome dashboard and select “Management” at the bottom of the left-side menu. Then, choose “Response Pages“.

2.   Under “Choose a CAPTCHA solution,” select DataDome’s CAPTCHA.

If you need assistance or have any questions, please contact your customer success manager (CSM) or our support team.

For Noncustomers:

For those of you just discovering or vetting DataDome, switching to DataDome’s CAPTCHA starts with a live demo from a threat expert. Then, our team will gladly help you complete the following:

1.   Retrieve your key (either Client-Side Key or Server-Side Module Key) from your dashboard.

2.   Set up one of our “Server-Side” modules, or directly use our Protection API.

3.   Complete client-side integration:

• For websites and single-page apps, refer to our JavaScript Tag.
• For mobile applications, refer to our SDK documentation for Android and iOS.

For more detail and a list of available modules for server-side integration, see our “Getting Started with DataDome” documentation.

Then what happens?

Once the integration is complete, we will silently monitor each request to your platform in real time and display a CAPTCHA only when we detect the user is a bot. Thus, your real human users will not be bothered with CAPTCHAs. You don’t need to write any code to display the CAPTCHA or handle the feedback loop.

Steps to Remove Your Traditional CAPTCHA

CAPTCHA Integrations

Despite the many varied versions of CAPTCHA and reCAPTCHA, there are usually two key components when integrating it into a website:

• Client-Side Code: Runs in JavaScript in the browser to display the CAPTCHA challenge.
• Server-Side Code: Receives the response, makes a call/HTTP request to the CAPTCHA provider to validate the response of the CAPTCHA.

To remove your CAPTCHA, simply delete these pieces of code.

You may have code on the server side that detects whether or not a user has already passed a CAPTCHA and responds based on that. This code should also be removed before switching to DataDome’s CAPTCHA.

Removing reCAPTCHA

Remove Client-Side Integration

1. Open the code for your client-side reCAPTCHA integration.
2. Remove Google reCAPTCHA’s script tag: <script src=”https://www.google.com/recaptcha/api.js” async defer></script>.
3. Remove any parameter names you might have in the code, such as g-recaptcha.

Remove Server-Side Integration

1. Open the code for your server-side reCAPTCHA integration.
2. Remove any secret key for reCAPTCHA.
3. Remove the g-recaptcha-response field.
4. Remove the siteverify URL.
5. Remove any scoring threshold code.

Remove Site From the Admin Console (Optional)

This process is not necessary to remove reCAPTCHA from your site, but if you’d like to remove your site entirely from the admin console, follow these steps:

1. Open your reCAPTCHA admin console.
2. Use the drop-downs to select the site from which you want to remove reCAPTCHA.
3. Click the cog at the top-right to enter the page settings.
4. Click the trash-can icon in the top-right of the page header.

For more details on where to find the various settings in the admin console, see Google’s reCAPTCHA settings documentation.

Removing hCaptcha

Remove Client-Side Integration

1. Open the code for your client-side hCaptcha integration.
2. Remove hCaptcha’s script tag: <script src=”https://js.hcaptcha.com/1/api.js” async defer></script>.
3. Remove any parameter names you might have in the code, such as h-captcha.

Remove Server-Side Integration

1. Open the code for your server-side hCaptcha integration.
2. Remove any secret key for hCaptcha.
3. Remove the h-captcha-response field.
4. Remove the siteverify URL.
5. Remove any scoring threshold code.

Removing GeeTest

Remove Client-Side Integration

1. Open the code for your client-side GeeTest integration.
2. Remove GeeTest’s script tag: <script src=”gt.js”></script>.
3. Remove any parameter names you might have in the code, such as gt.

Remove Server-Side Integration

1. Open the code for your server-side GeeTest integration.
2. Remove any secret key for GeeTest.
3. Remove the response field.
4. Remove any references to API1 and API2.

Conclusion

Once you have switched from your traditional CAPTCHA to DataDome’s CAPTCHA, just sit back, relax, and let us take care of your bot protection on autopilot. Our supervised machine learning detection will adapt to detect the latest threats. Meanwhile, your users will be able to explore your platform challenge-free, mostly unaware you even have a CAPTCHA installed.

If you have any questions about switching to DataDome’s security-focused CAPTCHA, please don’t hesitate to contact us.