We are adding CAPTCHA to our Azure B2C and Turnstile is currently our preferred solution but I am after some clarification on its effectiveness against bots.
We are using the “Managed” widget. Every time this is presented we get the tick box challenge. This feels like it would be very easy for a bot to work around compared to an interactive challenge (i.e. image or text). I’ve read in various places that it is the users behavior up to checking the box that is verifying if they are human but there is little official information about how this works in practice.
We want to prove that Turnstile will provide some protection against automated bots. With this in mind, I have two questions that I hope someone can help with:
How does the tick box challenge prevent automated bots?
How can we create a test that proves that Turnstile correctly identifies a bot and prevents it from progressing through sign up? I am aware of the dummy keys that can be used for testing (
https://developers.cloudflare.com/turnstile/reference/testing/) but I really want to show that with a real site key Turnstile can correctly identify our automated tests as a bot.