<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Understanding hCaptcha and reCAPTCHA v2
Jul 28, 2025
Administration
Okta Identity Engine
Overview

As an option to increase org security, Okta supports CAPTCHA to prevent automated sign-in attempts. It is possible to integrate either of two services: hCaptcha or reCAPTCHA v2. This knowledge article presents the differences between hCaptcha and reCAPTCHA v2.

Applies To
Solution

NOTE: The vendor implementations supported by Okta are both invisible. For reCAPTCHA v2, select the Invisible reCAPTCHA badge. Please refer to the CAPTCHA integration document for more information.

When selecting either of the two options in Okta CAPTCHA integration, verify the Secret/Sitekey corresponds as described hCAPTCHA(for example, Google hcaptcha) - hCAPTCHA(OKTA hcaptcha) and reCAPTCHA v2(I'm not a robot / Invisible) - reCAPTCHA  v2(OKTA).

  • When using hCAPTCHA, the Sitekey and Secret will be configured here.

Sitekey and Secret configuration

Using the provided Sitekey and Secret in our Okta implementation does not have additional setup factors, and depending on the Options selected (Sign-in/Sign-up or Password reset) the user will always be prompted by the CAPTCHA.

  • When using reCAPTCHA v2, there will be additional selections such as an "I'm not a robot " Checkbox and an Invisible reCAPTCHA badge.

Screenshot 2023-10-23 at 18.41.09.png
 

NOTE: When using Invisible reCAPTCHA v2, there may be no prompt for the CAPTCHA on the computer as this advanced system scans for the previous activity, among other things, and decides if this is necessary or not, making this expected behavior.

Invisible reCAPTCHA



NOTE: CAPTCHA is not supported for Password Reset in identifier-first authentication flows. That is when users enter passwords on a second sign-in page. To work around this, the authentication flow can be changed so that users see the username and the password on the same page in the Sign-In Widget: Ensure that the org does not use any Identity Providers for authentication. Use the Okta option for AND Identity provider is in the Global Session Policy rules, but not the Specific IdP option. Ensure all of the Global Session Policy rules have the Establish the user session with the option set to "A password".


Recommended content

Still looking for help?
Loading
Understanding hCaptcha and reCAPTCHA v2