Last verified April 2026 · 6 min read

Captcha friction cost: reCAPTCHA v2, v3, Turnstile, hCaptcha

Q: Does captcha reduce signup conversion?

Yes. reCAPTCHA v2 checkbox (I am not a robot) typically costs 2-5% of legitimate signups per HubSpot and Baymard data. Invisible variants (reCAPTCHA v3, Cloudflare Turnstile) cost near-zero for legitimate users. On mobile, reCAPTCHA v2 costs more than on desktop because the touch target is smaller and puzzle challenges appear more often.

Q: Is Cloudflare Turnstile better than reCAPTCHA?

For most use cases in 2026, yes. Turnstile is invisible to legitimate users, does not load Google scripts (better GDPR posture), and Cloudflare's own published data shows higher passthrough rates for legitimate users than reCAPTCHA v2. It is free. The trade-off: Turnstile's bot detection depends on Cloudflare's network signals, so products outside Cloudflare's infrastructure may see different detection quality.

Q: When should I skip captcha entirely?

Consider skipping captcha when: your product is invite-only (accounts are vouched), you use SSO-only signup (the provider already validated identity), you have rate-limiting and email-domain filtering as primary abuse controls, or the abuse risk is low relative to conversion cost. For B2B SaaS with vetted prospects, captcha often costs more in legitimate conversions than it saves in spam accounts.

Captcha is an abuse-control measure that imposes friction on all users to filter out a minority of bots. The conversion cost is real: reCAPTCHA v2 checkbox costs 2-5% of legitimate signups per HubSpot and Baymard data. Modern invisible alternatives (Cloudflare Turnstile, reCAPTCHA v3) reduce this to near-zero. Choosing the wrong variant is a quiet, persistent conversion tax.

CAPTCHA OPTION	CONVERSION DROP	PRIVACY	BOT DETECTION	ACCESSIBILITY	COST	NOTES
reCAPTCHA v2 checkbox	2-5%	Loads Google scripts, GDPR concerns	Medium-high	Poor	Free	Highest friction of the mainstream options
reCAPTCHA v2 invisible	~0.5-1%	Google scripts, GDPR concerns	Medium-high	Good	Free	Triggers challenge only on suspicious scores
reCAPTCHA v3	~0%	Google scripts, GDPR concerns	Medium-high	Good	Free	Score-based only; no user interaction
Cloudflare Turnstile	~0%	No Google, GDPR-friendly	High (on Cloudflare infra)	Excellent	Free	Best overall choice for most products in 2026
hCaptcha	1-3%	Privacy-positive (does not sell data)	Medium-high	Fair	Free (paid for enterprises)	Privacy story better than reCAPTCHA; slightly more friction
Friendly Captcha	~0%	GDPR-friendly, EU-hosted	Medium	Excellent	Paid	PoW-based, invisible to users, good EU compliance story

reCAPTCHA v2 checkbox

The canonical 'I am not a robot' checkbox. Launched by Google in 2014, it became the default choice for form spam protection. The problem: it is visible friction on every legitimate user to stop a minority of bots. HubSpot's form conversion research and Baymard's checkout data consistently show 2-5% of legitimate users fail or abandon at the captcha step. On mobile, the rate is higher because touch targets are smaller and Google more often triggers puzzle challenges for mobile IPs.

reCAPTCHA v3

Score-based captcha with no user interaction. The form submits with a risk score; your backend decides what score threshold triggers a challenge or rejection. No checkbox, no puzzle. The conversion cost is near-zero for legitimate users. GDPR caveat: reCAPTCHA v3 still loads Google's JavaScript and sends data to Google, which has made it subject to GDPR scrutiny in some EU jurisdictions.

Cloudflare Turnstile

Launched in 2022, production-ready and widely adopted by 2026. Invisible to legitimate users, no Google script dependency, GDPR-friendly. Cloudflare publishes data showing higher legitimate-user passthrough rates than reCAPTCHA v2. The bot-detection relies on Cloudflare's network signals and device fingerprinting. Free. The best overall choice for most products in 2026 that are not deeply tied to the reCAPTCHA ecosystem.

hCaptcha

Privacy-focused reCAPTCHA alternative. Does not sell user data to advertisers. Widely used as a privacy alternative. Slightly more visible friction than Turnstile because some users see image challenges. Good GDPR story. A reasonable choice when you need a user-interaction captcha for accessibility reasons and want a cleaner privacy story than reCAPTCHA v2.

When to skip captcha entirely

Invite-only products, SSO-only signups, and B2B SaaS with vetted prospects are strong candidates for captcha removal. If your signup form can only be reached by clicking a specific invite link, captcha adds friction without adding security. Rate-limiting plus email-domain filtering plus device fingerprinting achieves better abuse prevention than captcha for most B2B contexts. One spam account per hundred attempts is a different risk profile than one per million.

Frequently asked questions

Does captcha reduce signup conversion?+

Yes. reCAPTCHA v2 checkbox costs 2-5% of legitimate signups per HubSpot and Baymard. Invisible variants (Turnstile, reCAPTCHA v3) cost near-zero. Mobile costs are higher than desktop for visible captchas.

Is Cloudflare Turnstile better than reCAPTCHA?+

For most use cases in 2026, yes. Invisible to legitimate users, no Google scripts (better GDPR posture), free, and Cloudflare's data shows higher passthrough rates. Best overall choice for most products.

When should I skip captcha entirely?+

Invite-only products, SSO-only signups, B2B SaaS with vetted prospects. Rate-limiting plus email-domain filtering achieves better abuse prevention than captcha for most B2B contexts without the conversion cost.