AI beat CAPTCHA. What’s next?

For over a decade, internet users have had to squint at blurry fire hydrants, bridges, and bicycles — until AI came along. What’s next for the CAPTCHA?

Why CAPTCHAs are about to vanish: how AI rewrote the

CAPTCHAs as we know them popped up on our screens 26 years ago. While they’ve evolved quite a bit since then, the core idea has always been the same: present users with a quick task that a human can solve in two seconds but that a computer can’t.

It all started with distorted text, math problems, and short audio clips. Then came the era of spotting fire hydrants, traffic lights, and motorcycles — a phase that seemed like it would last forever. But as it turns out, modern LLMs can blast through these visual puzzles much faster and more accurately than any human ever could.

Here’s a look at how these “are you a human?” tests have changed and what it means for your security.

The end of the image-clicking era

Back in 2007, Google rolled out reCAPTCHA, and eight years later, they added a test asking users to select all images matching a specific prompt. Just like that, millions of internet users inadvertently became experts at identifying traffic lights, bicycles, roofs, bridges, and fire hydrants. Of course, AI bots have long since learned how to crack these puzzles.

Which is why in June 2026, Google started testing a brand-new way to check if you’re human. Instead of the usual images, some users are now asked to record a short video showing hand gestures. Algorithms analyze the footage, tracking 21 key points across the hand and finger joints. By tracking how your hand moves, the system can tell if it’s dealing with a real human or a bot. Passing this new type of CAPTCHA means granting camera access, something that raises a red flag for anyone concerned about security and privacy. Additionally, security researchers claim to have already discovered a loophole in Google’s experimental hand-gesture-based CAPTCHA, demonstrating that it can be fooled using nothing more than a photo of a hand.

Still, Google insists these videos are never linked to your personal identity, and no audio is recorded whatsoever. Their security policy also states that Google deletes all data as soon as the verification is complete. As always, whether you choose to trust Google is entirely up to you. We’d just like to point you to our post, Taking a selfie with your ID card — is it safe?, where we break down the exact risks of biometric verification using passport photos as an example.

What are the alternatives to reCAPTCHA?

While Google’s reCAPTCHA is still the undisputed king of blocking bots, AI is forcing the world to adapt, and traditional CAPTCHAs are becoming a thing of the past. Here’s a quick breakdown of alternative services and bot-blocking methods from a security perspective.

Behavioral analysis systems

One of the most advanced ways to protect a website from swarms of bots is a behavioral analysis system. This method automatically evaluates every single visitor by tracking mouse movements, clicking patterns, and digital fingerprints to spot human behavior. But even this isn’t a silver bullet against bots; their operators can simply train them to mimic natural behavioral patterns, allowing the bots to easily bypass this type of defense again and again.

For users, this isn’t exactly great news when it comes to privacy. After all, nobody wants every website on the internet collecting their device specs and tracking how they behave. That said, you can’t really call it full-blown surveillance either, as most of these systems aren’t trying to figure out who you actually are, and their creators promise that they don’t store your data or use it for marketing purposes. The main goal here is strictly to figure out who’s just landed on the page: a human or a bot.

Turnstile and hCaptcha

Another major reCAPTCHA competitor is Cloudflare Turnstile. It handles verification in two ways: completely in the background or through minimal user action. You either don’t have to do anything, or you just check a box that says “I’m not a robot.” The main risk for users here boils down to social engineering. Hackers frequently use legitimate-looking CAPTCHAs on phishing sites. This lulls users into a false sense of security and prevents security scanners from flagging malicious pages.

Then there’s hCaptcha, a service that focuses heavily on security and, unlike reCAPTCHA and Turnstile, isn’t owned by a tech giant.

Passkeys

Broadly speaking, every method and service mentioned so far follows the same blueprint: they collect your data, sometimes store it, and use it for other objectives. The main shift now is that they require less effort on your part. You don’t have to look for fire hydrants or wave your hand at a camera. But you can take things a step further and eliminate CAPTCHAs entirely if a website supports passkeys.

In this setup, you don’t log in with a password; instead, you use cryptographic keys activated by your biometrics or a PIN, which usually makes an extra “prove you are human” check completely unnecessary. We broke down what exactly passkeys are, where they work, and how to use the technology in our post Passkeys in 2025: your complete guide to passwordless sign-in. If you want to store your passkeys and ensure they work seamlessly across all your devices, our password manager has you covered.

Unfortunately, passkeys don’t work in situations where you want to remain anonymous and browse without creating an account. Because of that, they can’t replace CAPTCHAs entirely, but they still make life a whole lot easier for the vast majority of users.

How to protect your privacy

From a user’s perspective, it makes almost no difference which bot-protection method a website decides to use. Let’s be honest — you’re probably not going to leave a page just because it uses reCAPTCHA or a behavioral analysis system. What’s more, when it comes to systems that run quietly in the background, you won’t even know what kind of data they’ve gathered about you and your device. But this doesn’t mean your privacy is a lost cause.

Our Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium apps for Windows and macOS include Private Browsing. The feature blocks third-party websites from tracking your online activity in real time. For mobile privacy, you can rely on Social Privacy (Android, iOS). Additionally, Android devices running version 9 or higher include the Who’s Spying On Me feature available in select regions. This tool detects stalkerware, checks for hidden tracking tags, and reviews app permissions that make it easier to spy on you.

Finally, our password manager has your back when a phishing site uses a real CAPTCHA to look legitimate — Kaspersky Password Manager won’t let you auto-fill your username and password on it. Here’s what else you can do to keep your data private:

  • Don’t enter your data on a site just because it’s protected by a CAPTCHA. Scammers have been using real reCAPTCHAs, hCaptchas, and Turnstiles on phishing pages for a long time to build trust.
  • Switch to passkeys whenever possible. They don’t work on phishing sites and significantly reduce the risk of your data and behavioral patterns being harvested.

We’ve put together an essential list of other technologies that are on their way out: