Chances are, if you haven’t been living under a rock, you were at least once deemed a bot on the web. You know, when you need to solve those small puzzles, like picking only pictures with cars or recognizing a handwritten number. These puzzles are intended to protect us from bots, but instead, they are making our experience significantly worse. 

They are called Completely Automated Public Turing test to tell Computers and Humans Apart, or CAPTCHA for short. 

When Robots Beat Humans at Their Own Game 

It’s not just you; proving you’re not a robot has become increasingly harder because bots themselves can now solve them, and they are catching up fast.

With recent advancements in AI, it’s just a matter of time before all puzzles can be solved by bots. 

But we still need protection. Bots on the internet are getting crazier every year, some say they accounted for 47.4% of all internet traffic in 2022. 

Companies tackle this challenge in various ways. At Infobip, our Portal serves thousands of users daily who need secure access to manage their accounts and services. Bot protection isn’t optional, it’s essential. Protecting this high-traffic access point from automated attacks was critical, so we started with hCaptcha as our first line of defense.

Implementing hCaptcha: Learning from User Feedback 

We implemented hCaptcha to enhance our security measures; however, integrating it into our infrastructure required some adjustments, as hCaptcha relies on its own service for verification procedures. 

hCaptcha operates in invisible mode on our page, remaining transparent to users unless the system detects potentially automated behavior. When this occurs, users are presented with a verification challenge before accessing the Infobip Portal – their user account. 

While this approach provided the security benefits we were looking for, we began receiving user feedback about the complexity of some verification challenges. Users found certain CAPTCHAs difficult to complete, as illustrated in the Slack message below.

The CAPTCHA shown asks users to identify specific objects within images, which some found unclear or challenging to interpret. 

Additionally, we noticed that verification failures were occurring at a rate of 2-3% of all login requests. Due to the closed-source nature of hCaptcha, we had limited visibility into the root causes of these failures, which made troubleshooting more complex than we would have preferred. 

As a precautionary measure, we implemented a kill switch to quickly disable the feature if necessary and set up a Grafana dashboard to monitor error patterns and gain a better understanding of the user experience. 

Verification failures were common and often unknown as to why they were happening. 

Evaluating Our Options: Key Considerations 

After reviewing our experience with hCaptcha, we identified several factors that influenced our decision to explore alternative approaches: 

• Limited customization control – As a closed-source solution, we had restricted ability to fine-tune the behavior to match our specific needs. 

• Evolving security landscape – As automated systems become more sophisticated, verification challenges often need to become more complex, which can impact user experience. 

• Cost considerations – The ongoing expense needed to be weighed against other security investment options. 

• Connectivity sensitivity – Performance could be affected by slower internet connections. 

• Technical compatibility – Various browser, device, or OS configurations occasionally interfered with smooth operation. 

• Network restrictions – Corporate firewalls or network policies could sometimes block hCaptcha connections entirely. 

Moving Forward: A Collaborative Solution 

Recognizing these challenges, our Principal Engineer proposed organizing a focused one-day hackathon within our team to explore innovative alternatives that could better serve both our security needs and user experience goals. 

Alternatives to hCaptcha that we considered: 

• Cloudflare 

• Building a custom solution 

• Altcha 

Out of these, we picked Altcha. 

Altcha, a different approach to CAPTCHAs 

Altcha offers a new approach to solving bots. Instead of trying to detect them, it treats everyone the same. ALTCHA’s primary goal is to reduce bots by introducing a layer of complexity. This complexity acts as a barrier for spammers and automated bots attempting to abuse systems. 

Every device that visits Infobip Portal first needs to solve a computation puzzle, but in the background and automatically, with no external connection needed. This mechanism is called Proof of Work (PoW). 

Performance Analysis

Benchmarks

These benchmarks measure 100,000 SHA-256 cycles across consumer devices and AWS cloud instances. The results show how many ALTCHA challenges each system can solve per second at full CPU use. 

The data reveals an interesting performance difference: modern consumer devices significantly outperform cloud servers in these calculations. Since automated systems typically operate from server environments rather than consumer hardware, this creates a natural advantage for legitimate users.  

For context, the AWS EC2 instance (c6a.xlarge) used in testing costs $127 monthly, while AWS Lambda requires approximately 8 seconds to complete a challenge using the JavaScript library. 

Resource Impact and User Experience 

While one operation per second may appear modest, it requires 100% CPU use during that time, similar to when your computer briefly becomes unresponsive while processing intensive tasks. For legitimate users completing a single-form submission, this momentary processing is barely noticeable. However, for automated systems attempting to process requests at scale, this resource requirement becomes significantly more challenging. 

Adding ALTCHA proof-of-work to the form increases spammers’ expenses by a staggering 2,500%. In other words, ALTCHA takes spammers from the bargain bin to premium prices in no time.  

Altcha advantages

• Free and open source. 

• PoW concept, great for our use case, no challenge for users. 

• Easy to implement, extensive documentation and support. 

Our results

So, what happened after we flipped the switch from hCaptcha to Altcha in March 2025? The results were immediate and undeniable. 

First and foremost, the user complaints vanished. Since the switch to Altcha, we have received only two complaints. In both cases, the issues were temporary, and the clients managed to log in successfully before our support team even had a chance to intervene. There were no follow-up complaints. 

Our support team is thrilled that they no longer have to deal with daily tickets about login issues. And frankly, it has made our on-call rotations much quieter and our weekends much more peaceful. 

The data backs up this positive experience. Our verification success rate now consistently hovers between 98% and 99%. Over the last seven days, the rate stands at a solid 98.50%, indicating that only 1.50% of traffic was identified and blocked as spam. The stability is a welcome change. 

A Visual Breakdown of Altcha in Action 

When evaluating the real-world performance of any security solution, the data tells the most compelling story. The following Grafana dashboards tell the whole story of a typical week with Altcha. 

Overall Challenge Outcomes

The graph below shows all possible states for an Altcha challenge. The most prominent line by far is Success, which consistently tracks our daily active user count. The failure states are barely visible in comparison, indicating how seamless the experience is for genuine users. 

Successful Logins

The following graph visualizes the consistent stream of successful user logins, mirroring the normal usage patterns of the Infobip Portal throughout the week. 

Blocked Spam Attempts

The next two graphs illustrate Altcha performing its primary function. Graph three shows the SolutionNotProvided metric, which spiked during an attempt to brute-force our login endpoint with a large volume of requests that didn’t even attempt to solve a challenge. 

Graph four shows the InvalidSolution metric, which had a smaller spike from an entity trying to bypass Altcha by submitting incorrect solutions.

Minimal User-Side Errors

Finally, the next graph combines Timeout, FailedToFetchChallenge, and FailedToSolve. This represents the tiny percentage of failures due to factors like very slow devices, poor internet connections, or dropped requests. This number is negligible and has never caused a major incident, proving the solution is robust against real-world connectivity issues. 

From an operational standpoint, Altcha has drastically reduced our overhead. We have had so few issues that we almost forget it’s there. There is no more frantic toggling of the kill switch or managing complex whitelists for testing. Our security team has also benefited from the solution. They can now clearly see and track bot traffic attempting to breach our defenses, as evidenced by the spikes in the dashboards. 

Implementation and maintenance have been a breeze. Since the initial rollout, we have only made minor improvements to our metrics and logging. Compared to the constant fiddling required with hCaptcha, Altcha feels set-and-forget. 

And the cost? Altcha is free and open-source. By hosting it ourselves, we’ve been able to eliminate our previous service expenses while gaining a solution that better fits our operational needs and provides improved stability. 

The biggest surprise has been just how well it works. We took a chance on a new approach, and it has paid off beyond our expectations. The silence from our users and our support team is the best feedback we could have asked for. 

Conclusions

Our CAPTCHA experience led us from a traditional approach that required ongoing management to a streamlined solution that works quietly in the background. While hCaptcha served its purpose, we encountered operational challenges that required regular attention and often impacted user experience. 

Switching to Altcha and its Proof-of-Work approach was our turning point. We stopped trying to outsmart bots with complex puzzles and started imposing a simple computational cost. This cost is trivial for a real user but far too expensive for a spam operation running at scale. 

The results are clear. The noise is gone. User complaints have stopped, our verification success rates are consistently high, and our team spends virtually no time managing the system. We replaced a closed-source, costly service with a free, open-source solution that gives us full control and stability. 

Our dashboards now show a story of quiet efficiency, with the occasional spam attack being blocked effortlessly. 

The best proof that a security tool works is when you stop noticing it. We no longer deal with user frustration or emergency interventions. Altcha works so well we forget it exists, and that is the highest praise we can give. If you are tired of the CAPTCHA cycle, it is time to consider a different path.