Skip to content
Deepak Gupta markTech Graveyard

Tech Graveyard/security

The CAPTCHA (2000 to Dying)

GPT-4 solves reCAPTCHA v2 with 99.8% accuracy. The CAPTCHA only blocks humans now.

Born 2000 · Still dying · Status: dying

Certificate of Death

Name of decedent

The CAPTCHA

Born
2000
Died
Age
26+

Cause of death

AI vision models solve CAPTCHAs faster than humans at $0.001 per solve

Survived by

Behavioral biometrics, device fingerprinting, Cloudflare Turnstile, Apple Private Access Tokens

Invented by

Luis von Ahn, Carnegie Mellon University

Status: DyingFinal breath: 2027

Filed by D. Gupta · guptadeepak.com

The hook

A 2023 paper from ETH Zurich showed GPT-4 solving reCAPTCHA v2 with 99.8% accuracy. The same researchers tested humans at 96.7%.

Thesis. The CAPTCHA was always a Turing test. The Turing test is now trivially passable.

The story

The origin

Luis von Ahn's 2000 CMU paper. By 2008 reCAPTCHA was digitizing books while blocking bots, which felt brilliant: a security check that produced useful work as a side effect.

The arms race

Warped letters gave way to image grids ('select all traffic lights'), which gave way to invisible challenges, which gave way to 'tap and hold.' Each generation harder for humans, eventually trivial for AI.

The economics flip

By 2022 CAPTCHA solver farms charged $0.001 per solve. AI models passed humans in accuracy and speed. The supply side of CAPTCHA-solving became cheaper than the cost of legitimate users abandoning the flow.

The user backlash

Studies show CAPTCHAs cost ecommerce sites 15 to 30% conversion on average. The cost of false positives (humans failing the test, humans giving up) exceeds the cost of accepting some bots.

The replacement

Behavioral biometrics. Cloudflare Turnstile runs invisibly on more than 2 million sites. Apple Private Access Tokens ship in Safari. Neither asks the user to do anything.

Key data points

  • Luis von Ahn's CAPTCHA paper: 2000
  • reCAPTCHA launched: 2007 (acquired by Google 2009)
  • ETH Zurich GPT-4 study: 2023
  • Cloudflare Turnstile deployments: 2M+ sites
  • Apple Private Access Tokens shipped: iOS 16, Safari 16

Contrarian angle

The CAPTCHA's most successful function in its last decade was annoying paying customers off your site. Bots solved it. Humans gave up.

The flip side

What replaces it

The paired prediction in Future Tech.

Read the prediction

FAQ

Are invisible CAPTCHAs (reCAPTCHA v3) more effective?

Modestly. They reduce friction but still score off a model that AI can game. The honest answer: they are a stopgap, not a future-proof solution.

How do behavioral biometrics work without invading privacy?

They score signals like mouse trajectory entropy, typing rhythm, touchscreen pressure patterns. The signals are processed locally or with privacy-preserving cryptography. Most users have no idea it is happening.

Should I still use CAPTCHA on my contact form?

Use Turnstile or hCaptcha's invisible mode. Honey-pot fields plus rate limiting handle most spam at 1% of the friction cost.

More from guptadeepak.com

Want the technical deep-dive on what replaces this?

Read the companion article

Related obituaries

More from the security graveyard.