[cmjs]

I'm curious whether this can actually be considered to be a "CAPTCHA" in the true sense of the term. It doesn't seem to be intended to "tell computers and humans apart", but rather to force the client computer (not the human user) to do some work in order to slow down DOS attacks.

Of course slowing down DOS attacks is a great goal in itself, and it's very often what captchas have been (ab)used for, but it doesn't seem to me to replace all or most use cases for a captcha. In particular, since it can be completed by an automated system at least as easily as by a human, it doesn't seem like it would limit spambot signups or spambot comment or contact form submissions in any meaningful way.

Or am I misunderstanding, @realaravinth?

[realaravinth]

Thanks for the ping!

I used "captcha" to simplify mCaptcha's application, calling it a captcha is much simpler to say than calling it a PoW-powered rate limiter :D

That said, yes it doesn't do spambot form-abuse detection. Bypassing captchas like hCaptcha and reCAPTCHA with computer vision is difficult but its is stupid easy to do it with services offered by CAPTCHA farms(employ humans to solve captchas; available via API calls), which are sometimes cheaper than what reCAPTCHA charges.

So IMHO, reCAPTCHA and hCaptcha are only making it difficult for visitors to access web services without hurting bots/spammers in any reasonable way.

[cmjs]

Thanks for the reply! That's basically what I thought then – but as you say, traditional captchas are deeply flawed and ineffective anyway, and I totally agree that in many cases the cost to real users outweighs any benefit. So I'm excited to see alternatives such as mCaptcha popping up. It'll be interesting to see how it works out for people in real-world use.