You could embed a very-lightweight crypto-miner script into the page, with explicit UI acknowledgement (i.e. it starts when the user presses the "Verify" button, it displays that it's working and how hard it's working; and it runs until it produces exactly one target hash, at which point it clearly stops), and targeting an artificially-tuned difficulty such that a regular PC should be capable of completing in a minute or two (rather than trying to actually mine for any real blockchain network, which would require absurdly-high hash power.)
This is basically how "e-stamp" system proposals were supposed to work for email; but they never took off because email is an ossified system. The web is not ossified; individual websites are free to implement something like this.
If you're worried about spammers just throwing a GPU farm at the problem: the overlap between spammers and people who own crypto-mining operations is small; and the people who own crypto-mining operations have much-more-profitable things to point them at. So this should mostly stymie spammers—individuals will be okay with sitting around on the page for a couple minutes to complete the action, but it'll throttle spammers' actions way down, to the point where it's mostly not worth it to attack that site any more, vs. some other site (i.e. it'll have the same relative-deterrent effect that putting a club on your car does.)
You could even frontload the work, turning it from a proof-of-work system into a proof-of-stake system. Have the user "buy in" with a large hash workload during user registration; and then trust them from then on. (This is the better approach for a mobile app: direct them to register on the app's website on a PC, and then you can trust that user on the much-lower-powered mobile device, despite that device never generating a token.)
-----
An effectively strictly-equivalent approach is to just charge the user a dollar to complete certain actions.
One famous example of this is the SomethingAwful forums, where registrations cost $10. You can register as many times as you like—i.e. if your account gets banned, there's nothing stopping you from just coming right back again—but you'll need to pay another $10. Seems to work fine, in terms of making it too costly to keep doing anything the site bans people for.
I like the cleverness and simplicity of the bitcoin mining approach, but the tradeoff between "takes too long, damaging our signup flow" (where anything more than 5 seconds is likely to have a material impact) and "doesn't take long enough, making it too cheap for bots to proceed" may be quite tricky.
Charging a buck is extremely simple, and fair. The SA example tickles me.
I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1 if given the option between the two.
My assumption is already that reCAPTCHA is not a solution. Your question would, then, be "Is there a solution".
You may not agree and I respect this, but this is actually my point (and I don't have an answer to this question - I wish I had, though, and you have a point!).
I wish that people stop thinking soon that reCAPTCHA is a solution at all.
Then, it will open people to start thinking hard on this problem and hopefully find good solutions that fits their exact situation. There may not be one size fits all, but many good solution for each situation. We would not know without thinking.
I wonder if you could ask the user to trace a shape/pattern with their mouse? Or you draw a few animating dots with a canvas, and ask them to click the blue ones?
Fundamentally, though, you likely either piss people off by challenging their humanity, or violate their privacy by silently tracking their behavior, or break accessibility by evaluating the way they interact with your site against "normal" (bad for folks with screen readers, lynx, etc I'd assume).
There won't be a solution for long. Ai is making great progress on this part of the Turing test. You can only solve this (for how long?) by making the test harder for real humans and that adds friction.
If you want to solve this legal is your best bet. Make the things bots are doing illegal, and then track down the owners. It is hard but the criminal system is the only thing we have.
Since solutions for recaptchas can be purchased, I'm starting to wish I could just pay the market rate (< $0.01 each) instead of having to solve the damned things.
This is basically how "e-stamp" system proposals were supposed to work for email; but they never took off because email is an ossified system. The web is not ossified; individual websites are free to implement something like this.
If you're worried about spammers just throwing a GPU farm at the problem: the overlap between spammers and people who own crypto-mining operations is small; and the people who own crypto-mining operations have much-more-profitable things to point them at. So this should mostly stymie spammers—individuals will be okay with sitting around on the page for a couple minutes to complete the action, but it'll throttle spammers' actions way down, to the point where it's mostly not worth it to attack that site any more, vs. some other site (i.e. it'll have the same relative-deterrent effect that putting a club on your car does.)
You could even frontload the work, turning it from a proof-of-work system into a proof-of-stake system. Have the user "buy in" with a large hash workload during user registration; and then trust them from then on. (This is the better approach for a mobile app: direct them to register on the app's website on a PC, and then you can trust that user on the much-lower-powered mobile device, despite that device never generating a token.)
-----
An effectively strictly-equivalent approach is to just charge the user a dollar to complete certain actions.
One famous example of this is the SomethingAwful forums, where registrations cost $10. You can register as many times as you like—i.e. if your account gets banned, there's nothing stopping you from just coming right back again—but you'll need to pay another $10. Seems to work fine, in terms of making it too costly to keep doing anything the site bans people for.