They Don’t Work, Here’s What Does

Over the past two decades, there has been one prevalent method to distinguish humans from robots — the CAPTCHA test. These pesky, annoying picture-based tests have had us all staring at blurry pictures of mundane artifacts, from traffic lights to buses and bicycles, trying to determine which boxes made up the entire image. Successfully solving one ostensibly meant one thing: that you were human, not a bot in disguise, and you deserved to be let through the internet gates to view whatever content was behind the test. And all was well with the world. Until it wasn’t.

Nowadays, things aren’t as straightforward as they used to be. Bots and AI agents are growing smarter by the day, and today, they are at a level where solving a picture-based test is an easy feat. For context, a group of researchers at the University of California, Irvine recently discovered that artificial intelligence (AI) bots have now become even more adept than humans at solving CAPTCHAs.

To curb this problem, developers have resorted to making CAPTCHA tests harder to keep the bots out. But that’s a zero-sum game, and harder tests will only lead to worse online experiences for humans, while AI will just get better at solving them. 

It has become increasingly evident that the only way to counteract this issue truly is to replace the current model with a newer, better one. If you buy a lock and thieves keep breaking it to get into your house, you don’t keep buying other, expensive locks. Instead, you pivot to other alternatives to keep them out. Similarly, web developers need to adopt a new approach to identity verification on the internet.

AI Ate The Captcha

The CAPTCHA was premised on a simple truth that machines struggled at pattern recognition tasks that came naturally to people. That advantage has collapsed.

Advances in computer vision, reinforcement learning and large language models have made modern AI better at solving CAPTCHA than most humans. Image-recognition systems routinely spot crosswalks or bicycles with near-perfect accuracy. Behavioral bots can mimic mouse movements and timing patterns to fool detection systems. Multimodal language models can parse distorted text that once stumped software. In head-to-head tests, bots now register accuracy rates over 95%, while humans often hover much lower, slowed by fatigue, poor design, or accessibility challenges.

This inversion has produced a perverse arms race. Each new CAPTCHA becomes more difficult in an effort to trip up machines, but that only makes them more challenging for humans, too. The result isn’t security, but frustration as websites repel genuine users while the most sophisticated bots glide through.

Recent events show just how fragile the system has become. In mid-2025, OpenAI’s new ChatGPT Agent bypassed Cloudflare’s “I am not a robot” check without detection. A year earlier, researchers at ETH Zurich demonstrated AI models that could solve Google’s reCAPTCHA v2 image challenges with 100% success. These aren’t isolated cracks — they’re signs that the CAPTCHA’s entire premise has collapsed.

Online identity has outgrown the old problem it was designed to solve. Stopping bots from claiming free email accounts was once the central challenge. Today, the stakes are far higher with the integrity of financial systems, the trustworthiness of elections, and even the distribution of humanitarian aid depending on knowing who is, and isn’t, a real human being.

CAPTCHAs were never built to handle problems on this scale. They can filter out crude spam bots, but they are powerless against coordinated armies of fake accounts, automated propaganda networks, or deepfake-driven impersonations. The same generative AI that shreds image puzzles can also manufacture endless synthetic identities, amplifying disinformation or gaming online systems at will. In this context, the “prove you’re not a robot” checkbox feels like a lock on a screen door.

A fundamental shift is now necessary. We need a system that can establish humanness without requiring disclosure of everything else. That means privacy by design, protections for basic rights, and usability simple enough for anyone to adopt. If we can’t verify personhood in a way that is both trustworthy and humane, the digital systems we rely on will continue to erode under the weight of synthetic actors.

A Better Path Forward

If CAPTCHAs mark the end of an era, proof of personhood can mark the beginning of a new one. The goal isn’t to reinvent puzzles for the web, but to establish a higher-order layer of trust, a way to confirm that a real human is present, without demanding more than that.

A passport offers a helpful analogy. It doesn’t reveal your entire life story at a border, it simply verifies that you are who you claim to be, and that you hold standing as a person in a recognized system. A digital proof of personhood can play a similar role online. Instead of distorted text or image grids, it would operate on principles that are…

• Human-first and rights-preserving: designed around dignity and accessibility, not friction.
• Usable across contexts: from financial transactions to humanitarian aid to democratic governance.
• Privacy-respecting: proving “a real person is here” without leaking biometric data, identity documents, or other sensitive details.

In the same way passports unlocked cross-border trust, digital proof of personhood could unlock cross-network trust. It offers a path out of the arms race between bots and CAPTCHA, replacing brittle tests with a durable foundation for verifying humanity itself.

Kill The CAPTCHA, Build Human Trust

The collapse of the CAPTCHA is more than a technical inconvenience, it’s a signal. For twenty years, we trusted in these puzzles to keep the internet human, but AI has outgrown them. The challenge ahead isn’t to make harder tests, it’s to build better foundations.

Proof of personhood points the way. By treating humanness as a right to be verified, not a hurdle to be cleared, we can protect the systems that matter most like finance, governance, aid, and the everyday digital spaces where trust is currency. The lesson of the CAPTCHA era is clear: brittle defenses break under pressure. The lesson of the passport era is equally clear with durable identity systems, built with rights at their core, can last generations.

The question isn’t whether we can keep bots out. AI will only keep getting smarter. The question is whether we can design systems that are visible, respected, and trusted across networks. That’s the real test. And it’s one we can’t afford to fail.