You can challenge the user with a so called Reverse Turing Test. It's basically a low quality and partially scrambled rendering of a random text or number (to prevent OCRing) that the user must interpret and submit back before being allowed to continue with the log-in procedure. See this paper for more info.