Even as recent as 5 years ago I liked the idea of a captchas. I still understand the purpose behind them but recently I've started getting really annoyed by them(whether that be reCaptcha or hcaptcha or anything else). They are just everywhere and it gets incredibly tedious to have to solve one every odd click or so. And it gets even worse if you use a vpn or tunnel or god forbid tor: there's no way to solve them there AT ALL. Which is the sad part: despite the tons of innovation in ML, captchas seem to rely on recursion of hardcoded rules which pile up indefinitely the moment you step outside your "start your computer and open up a browser" behavior. Kind of sad considering the abundance of information browsers pass on with each request.

In some cases, it seems the companies deploy them to coerce and punish: 'logged out, did you? you deserve this captcha for trying to thwart our tracking, peasant! work this useless problem for us for free!' Looking at you, Meetup.

IIUC, they do help limit some classes of DDOS attacks.

> Recently I've started getting really annoyed by them

In the end, the services that are using captchas are the services that become the least liked, and users will start migrating to other services that don't use captchas, so there's a business penalty for using them.

On the other hand, if you want to filter out bad actors, then captchas are the way to go. The reason I recommended hCaptcha is because they're easier to solve, and sometimes Google's reCaptcha offering is so complex and hard-to-solve that it starts inducing carpal tunnel / RSI symptoms (at least for me). I don't get so easily fatigued & inflamed with hCaptcha though.

I’m wondering how TOTP compares as a solution here: would you be able to filter out bad actors similarly by using that instead of a captcha?

When you log in with a password server gives you a cookie/token so you stay logged in. It can be invalidated if your IP changes, it expires or something like that. But if you're logged in with 2FA those rules can be relaxed, it's a simple as that if you ask me. Implementation dependent of course.

I don't think those sites show you a captcha before you enter your login and password, but rather on submit. So for that username you don't show them a captcha at all, if they don't have a proper cookie you ask for 2FA.

For a list of companies implementing this or U2F, check here: https://www.dongleauth.info/

https://2fa.directory is another one

I don't understand the love for hCaptcha. The only thing it has going for it is being outside of the Google brand and that it is cheaper. Outside that, we don't know that they don't do the same shady shit Google does, they're equally as bad as reCaptcha, and they're equally inaccessible.

> The only thing it has going for it is being outside of the Google brand and that it is cheaper.

I find hCaptchas easier to solve though. My carpal tunnel in my wrist doesn't flare up and I don't get RSI[0].

reCaptcha is notoriously complex & difficult to solve if you suffer from RSI or joint inflammation.

[0] https://en.wikipedia.org/wiki/Repetitive_strain_injury

Really? Because I've had plenty of Cloudflare hCaptcha protections where I've had to repeat it 3 or more than, with the most being 6.

Maybe I'm just a robot as far as hCaptcha and reCaptcha are concerned.

They use the word privacy a lot, so surely they respect it, right? :(

If you're script blocking, hcaptcha also only requires one reload of the page as opposed to two for Google (enabling Google then enabling Gstatic)