Types of CAPTCHAs Explained
Text-Based CAPTCHAs
Text CAPTCHAs are the original CAPTCHA format, displaying distorted, rotated, or overlapping characters that the user must type into an input field. The text is rendered as an image with visual noise, lines, color gradients, and warping applied to make optical character recognition difficult. These challenges typically present 4 to 8 characters drawn from a mix of uppercase letters and digits.
Text CAPTCHAs were dominant from the early 2000s through roughly 2012, but their effectiveness has declined sharply as OCR technology improved. Modern deep learning models, particularly convolutional neural networks trained on CAPTCHA datasets, can solve most text CAPTCHAs with accuracy rates above 90%. As a result, major platforms have moved away from text-based challenges, though they remain common on legacy systems, government portals, smaller forums, and regional websites that have not upgraded.
Automation difficulty: Low. AI-based OCR solvers handle most text CAPTCHAs reliably. Services like CapSolver and CapMonster solve them in under 2 seconds with accuracy above 95%. Custom OCR models trained on a specific site's CAPTCHA font can achieve even higher accuracy.
Google reCAPTCHA v2
reCAPTCHA v2 is one of the most widely deployed CAPTCHA systems on the internet. It presents the familiar "I'm not a robot" checkbox, which triggers a behavioral analysis of the user's browsing session. If the analysis determines the user is likely human (based on mouse movement patterns, browsing history, Google account cookies, and other signals), the checkbox turns green immediately. If the system is uncertain, it escalates to an image selection grid.
The image challenges ask users to identify specific objects, such as traffic lights, crosswalks, buses, bicycles, fire hydrants, or storefronts, in a 3x3 or 4x4 grid of photographs. When a user correctly identifies an image, a new one may fade in to replace it, creating a multi-round challenge that increases difficulty. This dynamic loading prevents simple single-frame image analysis from working reliably.
reCAPTCHA v2 also offers an "invisible" variant that removes the checkbox entirely and only presents an image challenge when the behavioral score indicates suspicious activity. The invisible variant is embedded in form submission buttons or page actions, making it less intrusive for most users.
Automation difficulty: Medium. The checkbox alone can sometimes be passed by realistic browser automation with proper fingerprinting, but the image grid challenges require either human solvers or trained AI models. Solving services typically handle reCAPTCHA v2 in 10 to 30 seconds (human) or 5 to 15 seconds (AI), with success rates around 95%.
Google reCAPTCHA v3
reCAPTCHA v3 operates entirely in the background with no user interaction whatsoever. It monitors the visitor's behavior throughout their session and generates a risk score between 0.0 (very likely a bot) and 1.0 (very likely human). The website developer decides what to do with this score: a score above 0.7 might be allowed through, a score between 0.3 and 0.7 might trigger additional verification, and a score below 0.3 might be blocked entirely.
The scoring algorithm considers dozens of signals, including mouse movement patterns, scroll behavior, keystroke dynamics, page interaction timing, browser environment characteristics, IP reputation, and whether the visitor is logged into a Google account. Sites can place reCAPTCHA v3 on multiple pages to build a more complete behavioral profile of each visitor across their session.
In 2025, Google significantly changed reCAPTCHA's pricing model. The free tier was reduced from one million monthly assessments to just ten thousand, with usage-based billing kicking in above that threshold. This pricing change has pushed many websites toward free alternatives like Cloudflare Turnstile.
Automation difficulty: High. Because there is no discrete challenge to solve, handling reCAPTCHA v3 requires either achieving a high behavioral score through realistic browser automation or obtaining a valid token through a solving service. Token-based solving is available from most major services, but the tokens expire quickly (typically within 2 minutes) and must be used immediately.
hCaptcha
hCaptcha operates similarly to reCAPTCHA v2, presenting a checkbox verification followed by optional image challenges. The key difference is its positioning as a privacy-respecting alternative. hCaptcha does not use cookies for cross-site tracking, does not require or benefit from a Google account, and compensates website operators for CAPTCHA traffic by paying them for the labeled data their visitors generate.
Image challenges in hCaptcha ask users to identify various objects, animals, or scenes, similar to reCAPTCHA but with different image categories. The difficulty level can be configured by the site operator, ranging from simple single-round selections to complex multi-round challenges with edge cases.
hCaptcha gained significant traction after Cloudflare adopted it as their default CAPTCHA in 2020 (before developing Turnstile). It remains popular among privacy-conscious sites and those operating in GDPR-sensitive markets where Google's data collection practices raise compliance concerns.
Automation difficulty: Medium. Solving approaches are nearly identical to reCAPTCHA v2. Human and AI solving services support hCaptcha with comparable speed and accuracy. Pricing is similar, typically $1 to $3 per 1,000 solves depending on the service.
Cloudflare Turnstile
Cloudflare Turnstile represents the newest generation of CAPTCHA technology. Instead of presenting any visible challenge, Turnstile runs a series of lightweight tests in the user's browser: JavaScript execution challenges, proof-of-work computations, environment analysis, and machine learning classification. The entire process typically completes in under a second, and the user sees nothing more than a brief loading animation before being verified.
Turnstile operates without setting cookies or performing cross-site tracking, making it fully compatible with GDPR and similar privacy regulations. Cloudflare offers Turnstile free with unlimited verifications, which has driven rapid adoption among website operators seeking to reduce costs after reCAPTCHA's 2025 pricing changes.
In mid-2026, Cloudflare expanded Turnstile's capabilities with a dashboard toggle that specifically detects and blocks known AI scraper bots, including GPTBot, ClaudeBot, and PerplexityBot, alongside the long tail of headless crawlers used for content harvesting. This addition positions Turnstile as both a CAPTCHA and an AI scraping defense layer.
Automation difficulty: High. Turnstile's browser environment checks are specifically designed to detect headless browsers and automation frameworks. Standard headless Chrome or Firefox configurations fail Turnstile's checks. Passing requires either a fully configured browser with stealth measures or a token from a solving service that operates its own browser farm. Support among solving services is growing, but Turnstile remains one of the harder challenges to handle automatically.
FunCaptcha (Arkose Labs)
FunCaptcha presents interactive 3D puzzles and mini-games that require spatial reasoning to complete. Common challenges include rotating a 3D object to match a target orientation, selecting which image in a set is right-side-up, arranging dice to match a pattern, or matching animal silhouettes. These challenges are specifically designed to resist current AI capabilities by requiring an understanding of three-dimensional space and physical objects that computer vision models handle inconsistently.
Arkose Labs licenses FunCaptcha to high-value targets including major tech platforms, financial institutions, and gaming companies. The challenges are served through a dedicated iframe and generate encrypted tokens that are validated server-side.
Automation difficulty: Very high. FunCaptcha is among the most difficult CAPTCHAs to solve automatically. AI models struggle with the 3D spatial reasoning, and human solving is slower because the interactive puzzles take more time than simple image selections. Solving services charge premium rates for FunCaptcha, typically $3 to $5 per 1,000 solves, with lower accuracy rates than other CAPTCHA types.
GeeTest
GeeTest uses several challenge formats, the most recognizable being the slide verification where users drag a puzzle piece horizontally to fit into a gap in an image. GeeTest also offers click-based verification (click specific icons in a designated order), word-matching challenges, and more complex interactive puzzles. The system analyzes the drag trajectory, speed, acceleration, and timing to distinguish human movements from scripted automation.
GeeTest is especially popular in China, where it protects major e-commerce platforms, social media sites, and financial services. Its international presence has grown steadily, and version 4 introduced more sophisticated challenge types and improved bot detection algorithms.
Automation difficulty: Medium to high. The slide puzzle can be solved by detecting the gap position through image analysis and then simulating a realistic drag motion. However, GeeTest's trajectory analysis catches overly smooth or perfectly linear mouse movements. Solving services support GeeTest with typical solve times of 5 to 15 seconds.
Audio CAPTCHAs
Audio CAPTCHAs provide an accessibility alternative to visual challenges. They play a recording of spoken numbers or words mixed with background noise, distortion, and overlapping audio. The user types what they hear into a text field. Most major CAPTCHA providers, including reCAPTCHA and hCaptcha, offer an audio option to comply with WCAG 2.1 accessibility guidelines and avoid excluding users with visual impairments.
Automation difficulty: Low to medium. Modern speech recognition models, especially when fine-tuned on CAPTCHA audio patterns, can solve audio CAPTCHAs with reasonable accuracy. Some automation workflows deliberately switch to audio challenges because they are easier to solve programmatically than image-based alternatives.
Math and Logic CAPTCHAs
Some websites use simple arithmetic problems (such as "What is 7 + 3?") or basic logic questions as lightweight verification. These are typically custom implementations rather than third-party services, found on smaller sites, WordPress plugins, and basic contact forms. They provide minimal bot protection since even simple scripts can parse and solve arithmetic expressions.
Automation difficulty: Very low. Any script capable of parsing text can extract and compute the answer to a math CAPTCHA. These challenges stop only the most unsophisticated bots and are not considered serious security measures.
Choosing Your Approach by CAPTCHA Type
The CAPTCHA type you encounter directly determines which solving method is most cost-effective. Text and math CAPTCHAs can be handled locally with OCR or simple parsing, eliminating per-solve costs entirely. reCAPTCHA v2, hCaptcha, and GeeTest are well-supported by all major solving services at reasonable prices. reCAPTCHA v3 and Cloudflare Turnstile require more sophisticated approaches that combine behavioral mimicry with token-based solving. FunCaptcha remains the most expensive and least reliable to solve automatically, making prevention strategies especially important when it is the challenge you face.
In all cases, identifying the exact CAPTCHA system on a target page is the essential first step. The site key, the challenge iframe URL, and the JavaScript library loaded on the page all provide clear indicators of which provider is in use, and this information determines which API endpoint and parameters your solving integration needs.
Not all CAPTCHAs are equal. Text-based and math CAPTCHAs can be solved trivially, while Cloudflare Turnstile and FunCaptcha demand sophisticated approaches. Always identify the specific CAPTCHA type before choosing a solving method, as the wrong approach wastes time and money.