Does 'CAPTCHA' still have meaning in the age of AI?

When logging into websites or filling out forms, various authentication tests are used, such as selecting a specific object from an image, clicking a 'I'm not a robot' checkbox, or aligning puzzle pieces in the correct positions. These authentication tests, known as 'CAPTCHA,' have been used to distinguish between humans and bots, but their effectiveness is being questioned due to advancements in AI, as explained by the science media outlet Live Science.
Are CAPTCHAs obsolete in the age of AI? | Live Science

Andreas Pressner, a computer scientist at ETH Zurich, explained to Live Science that 'CAPTCHA was introduced in the late 1990s to address a problem that is simple in concept but very difficult to solve.' That problem is how to distinguish whether the user is a computer or a human when the other party cannot be directly seen.
CAPTCHAs have always required users to perform tasks that are easy for humans but difficult for machines, in order to prevent bot-based comment spam, automated file downloads, and account hijacking. Many early CAPTCHAs required users to read distorted characters, which were difficult for the character recognition software of the time, but as the performance of character recognition software improved, other methods were developed.

One prime example of this is the widely used CAPTCHA service ' reCAPTCHA .' After Google acquired reCAPTCHA in 2009, tests using Google Street View images to select objects such as traffic lights, motorcycles, and bicycles from the images began to be used. Ng Chong, Chief Information Officer and Director at the United Nations University's Campus Computing Centre, explains, 'The tests using Google Street View images were based on the premise that recognizing objects from cluttered real-world photographs is still something only humans can do.'
Subsequently, in 2014, Google released ' reCAPTCHA v2 .' reCAPTCHA v2 works by having the user click a checkbox and analyzing their mouse movements to determine if they are human. If the system determines that the user is suspicious based on their actions on the site before clicking and the timing of the click, an image grid will be displayed as an additional verification step.

However, image recognition is no longer a field where humans excel. In 2016, researchers reported that reCAPTCHA v2 could be solved with approximately 70% accuracy using low-cost deep learning technology. Furthermore, in 2024, Pressner et al. developed an AI model that can solve the reCAPTCHA v2 puzzle 100% of the time.
AI successfully bypasses Google's 'reCAPTCHA v2' to prove that the user is not a robot - GIGAZINE

Chong also created a tool in early 2026 that could sometimes bypass reCAPTCHA v2 by mimicking human-like browsing behavior, stating, 'If it's possible to bypass it with a common tool that can run both the image puzzle and behavioral detection on a single laptop, then the fundamental premise of CAPTCHA—that there are tasks that humans can do but machines cannot—becomes invalid.'
However, CAPTCHA hasn't completely lost its purpose. Pressner's model bypassed reCAPTCHA v2, but CAPTCHA also has security measures that don't rely solely on whether the puzzle is solved correctly or incorrectly. Pressner said that during his research, solving a large number of CAPTCHAs from the same IP address resulted in the difficulty of the puzzles increasing or even complete blocking, so he changed his IP address for each test using a VPN. Pressner explained, 'Many of CAPTCHA's security measures looked not at whether the puzzle was solved correctly or incorrectly, but at the connection source and actions being used to solve it.'
In recent years, CAPTCHAs have shifted towards prioritizing information other than the puzzle itself. Google's ' reCAPTCHA v3 ,' ' Friendly CAPTCHA ,' and ' hCAPTCHA ,' as well as Cloudflare's ' Turnstile ,' don't even display the puzzle to the user. These systems determine the possibility of fraudulent activity based on factors such as 'whether the operation was performed by a device whose legitimacy can be verified rather than automated code,' 'whether the IP address has made a large number of automated requests in the past,' 'how the user navigates the webpage,' and 'what the cookie history looks like.'
Nevertheless, traditional CAPTCHA puzzles have been widely used for decades, and because they are easy to implement and relatively inexpensive, Chong explains that they will still be used on many websites as of July 2026.
Even though bots can solve the puzzles, CAPTCHAs tend to be a tedious task for humans. There are also concerns that they can be particularly disadvantageous for users with visual impairments. Pressner says, 'A CAPTCHA that only someone with a PhD in mathematics can solve isn't very useful. The internet needs to be accessible to everyone.'
Related Posts:







