This is a multi-part series that details the business and technical architecture of hCaptcha, the drop-in replacement for reCAPTCHA.
2023 Update: This post was originally written in 2018, and the system has evolved as hCaptcha has scaled to serve hundreds of millions of people and more use cases. We have lightly revised it, but it is mainly of historical interest.
This post details how hCaptcha works on a technical level, in the interest of providing more transparency to our users and to communicate our thinking on how to build a secure and valuable service.
Note: hCaptcha is under active development and details may change in the future.
First, a quick recap
The hCaptcha service provides a useful service to website owners by protecting their sites from fraud and abuse, especially non-human actors and bots.
Everyone benefits from this:
Website owners secure their site by placing a captcha challenge to protect against unwanted bot/spam traffic. They receive protection by using hCaptcha.
Website visitors enjoy a site with less spam and fewer bots.
High Level Design
The basic interaction flow is as follows:
Detecting Human Users
A common question that arises is: “how does hCaptcha know the answers to user-submitted, generic tasks if a human has never been involved?”
The answer is by combining many different techniques:
Using information from the client side environment to analyze data like browser data, mouse movements, and gyroscopic behavior.
Presenting tasks multiple times in various forms, and comparing results via statistical analysis of the results.
Using some of the latest machine learning techniques to enhance all of the above and verify the answers.
Subscribe to our newsletter
Stay up to date on the latest trends in cyber security. No spam, promise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.