Completely Automated Public Turing test to tell Computers and Humans Apart
CAPTCHA.
A challenge-response test designed to distinguish humans from automated bots — historically image or audio puzzles, increasingly invisible behavioral scoring that fires only on suspicious traffic.
The visible-CAPTCHA-as-standalone-defense era ended around 2020. ML solvers (and human-solver farms costing pennies per solve) defeat every visible challenge. Modern CAPTCHA value is in the telemetry it collects to score traffic — interaction patterns, browser characteristics, timing — used to gate higher-friction defenses for actually-suspicious requests.
Common questions
Are CAPTCHAs still effective in 2026?
What's the difference between reCAPTCHA v2 and v3?
Is Cloudflare Turnstile better than reCAPTCHA?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
Bot Defense and Fraud Detection for Authentication Endpoints
Credential-stuffing bots, account-creation bots, scrapers, MFA-fatigue bots — the modern auth endpoint faces continuous automated attack. The defenses that hold and the ones that don't.