CAPTCHA 2.0 is Alibaba Cloud's next-generation CAPTCHA service that distinguishes human users from automated programs using simple, secure, and diverse interaction logic. It protects web and mobile applications against bot attacks while minimizing and even preventing network resource abuse by computer programs that simulate human users. This ensures an authentic user experience while enhancing the defense of website resources against access from malicious programs.
Common use cases include account registration, SMS delivery, ticket booking, information queries, free downloads, forum posting, and online voting.
Benefits
CAPTCHA 2.0 improves on CAPTCHA 1.0 in the following ways:
All-in-one integration: Integrate once and receive automatic updates to protection capabilities and CAPTCHA types — no code changes required.
Multi-dimensional analysis: Analyzes reasoning logic, device data, and interactive behavior models to protect against bot attacks from multiple angles.
Broad platform support: Works on web, HTML5, iOS, and Android clients and in WeChat Mini Programs.
High availability: Delivers 99.99% availability with built-in disaster recovery.
Supported CAPTCHA types
CAPTCHA 2.0 supports six CAPTCHA types. Choose based on the risk level and acceptable friction for your use case.
| CAPTCHA type | How it works |
|---|---|
| Invisible CAPTCHA | Analyzes mouse movements, click frequency, and device fingerprint in the background. |
| One-click CAPTCHA | The user selects the Confirm you are not a robot checkbox. The system verifies identity by analyzing IP address, device fingerprint, and clicking behavior. |
| Slider CAPTCHA | The user drags a slider to the required position. The system verifies identity by analyzing trajectory characteristics such as speed and jitter. |
| Puzzle CAPTCHA | The user drags a puzzle piece to the required position. Uses image recognition and trajectory analysis for verification. |
| Visual reasoning CAPTCHA | The user solves a challenge based on spatial relationships, such as rotating an image or selecting the correct view. |
| Image restoration CAPTCHA | The user reassembles scrambled image blocks, such as assembling a puzzle or aligning fragments. |
How it works
CAPTCHA 2.0 uses different verification flows depending on the CAPTCHA type.
Standard verification
This flow applies to slider, puzzle, visual reasoning, one-click, and image restoration CAPTCHA types.
The user triggers a CAPTCHA challenge on your business page. The business client requests CAPTCHA resources (such as images and questions) from the CAPTCHA 2.0 server. If the request fails, the error information returned to the business client can be used to troubleshoot the failure.
The user completes the CAPTCHA challenge and the business interaction (such as logon or registration). The business client sends both the CAPTCHA information and the business information to the business server.
The business server calls the VerifyIntelligentCaptcha operation to send a risk verification request to the CAPTCHA 2.0 server.
The CAPTCHA 2.0 server performs risk verification and returns the result to the business server.
The business server processes the result according to your business logic, then returns the verification result and business processing result to the business client.
A notification is displayed on the business page and the business client proceeds with business processing.
If verification fails, the CAPTCHA challenge is re-triggered and the process restarts from step 1.
Sequence diagram:
Invisible CAPTCHA verification
Invisible CAPTCHA uses a risk-adaptive flow. The initial steps are the same as standard verification, but step 5 branches based on the detected risk level.
The user triggers a CAPTCHA challenge on your business page. The business client requests CAPTCHA resources from the CAPTCHA 2.0 server. If the request fails, the error information returned to the business client can be used to troubleshoot the failure.
The user completes the business interaction (such as logon or registration). The business client sends the invisible CAPTCHA information and business information to the business server.
The business server calls the VerifyIntelligentCaptcha operation to send a risk verification request to the CAPTCHA 2.0 server.
The CAPTCHA 2.0 server performs risk verification and returns the result to the business server.
The business server processes the result:
No risk detected: Verification ends. The business server returns the result to the business client and the business interaction is complete.
Risk detected: An additional CAPTCHA challenge is triggered:
The user completes a secondary CAPTCHA challenge (slider, puzzle, visual reasoning, or image restoration) and the business interaction. The business client sends the CAPTCHA information and business information to the business server.
The business server calls VerifyIntelligentCaptcha again for risk verification.
The CAPTCHA 2.0 server performs risk verification and returns the result.
The business server processes the result and returns the verification result and business processing result to the business client.
A notification is displayed on the business page and the business client proceeds with business processing.
If verification fails, the CAPTCHA challenge is re-triggered and the process restarts from step i.
Sequence diagram:
What's next
Billing: CAPTCHA 2.0 uses pay-as-you-go billing. Purchase resource plans to offset all pay-as-you-go fees. See Billing overview.
Activation: See Activate CAPTCHA 2.0.
Integration: After activation, integrate CAPTCHA 2.0 into your business client and business server. See the Integration guide.
Client integration: Integrate the CAPTCHA 2.0 initialization code into your web or HTML5 business page. See Integrate CAPTCHA 2.0 into a web or HTML5 client.
Server integration: Call the VerifyIntelligentCaptcha operation from your business server to initiate verification requests. See Integrate CAPTCHA 2.0 into a business server.
Monitoring: Query verification statistics on the Overview page of the CAPTCHA 2.0 console. See View verification statistics.