[alz]

So, most captchas don't seem to pose much of a barrier to bots that need to get round them.

A couple of months ago there was an article on the state of web scraping in 2016: https://goo.gl/eUtkRA. In it, the author easily identified and integrated one of many captcha solvers.

Worst case scenario, there is also crowdsourced mechanical turk style captcha solving as a service: e.g. https://anti-captcha.com.

I guess this raises the question as to whether captchas pose more of a barrier to users than bots, and whether they should be used at all?

[mike_hearn]

The big networks don't use CAPTCHAs in the original sense they were meant to be used anymore. They all moved on to phone verification many years ago. I was a part of some of the discussions in Google on this issue - should we keep using CAPTCHAs at all given that they'd been basically replaced by better systems?

The answer was yes. CAPTCHAs are still present because they act as a throttle. The point of a strong CAPTCHA is to limit the amount of abuse that can get through if the other mechanisms break down, by exploiting the fact that humans are kind of slow. Even though OCR can handle most CAPTCHAs these days, it's still not 100% effective, so by ramping up the number of CAPTCHAs you ask users to solve you can still put a throttle on activity. In this way it acts as a last line of defence.

That's why I'm not sure this is going to work out. CAPTCHAs are not a way to distinguish good users from bad, which is how CloudFlare is trying to use them here. CAPTCHAs are way to slow down and throttle traffic that might be auto-generated when you can't tell if it's good or bad. Building a new way to show you solved a CAPTCHA previously doesn't help if the reason you're being shown CAPTCHAs is specifically to slow you down regardless of whether you're good or bad.