captchas make sense when you want to keep spammers out of your comment section. For logging in to an account though, the best alternative is really to just do nothing. Maybe rate limit connections that send bad logon attempts.