Google reCAPTCHA v3 without user interaction launches
Google unveiled a new version of the company's reCAPTCHA service yesterday that aims to make the service more user friendly and provide webmasters with better options when it comes to dealing with unwanted traffic.
Chance is, that any Internet user encountered a number of captcha verification prompts in the past. These are designed to verify that the visitor is indeed human and not a bot. A sign-up page is a prime example for captcha use; websites don't want bots to register accounts automatically and to prevent that from happening, may add captchas to the page to throw bots off while keeping human visitors on the site.
Captcha solutions have a number of problems associated with them: the percentage of false positives is high and it is sometimes difficult or even impossible to decipher the text that you are asked to enter; this leads to user frustration.
Google reCAPTCHA v3
Google hopes to make things better with the release of reCAPTCHA v3. When Google launched the first version of the verification tool all users had to pass the captcha test to continue on to the site or action. Google added signals to the second version of the test which made about half of the users pass without having to enter a captcha.
The third-version changes things around completely as it is now putting webmasters in charge when it comes to the display of captchas. Instead of displaying a captcha to a user right away, reCAPTCHA v3 computes a score that tells the webmaster how likely it is that a visit is made by a human or bot.
Now with reCAPTCHA v3, we are fundamentally changing how sites can test for human vs. bot activities by returning a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all. reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site.
Webmasters get new options and more control over the process. They may set the threshold that determines when visitors are let through to the site automatically, may add custom signals to the detection, e.g. if a user has an account on the site, and may use the signals to train machine learning algorithms.
Webmasters may set up thresholds and define the type of verification that they require from the visitor, e.g. to use two-factor authentication or phone verification.
Closing Words
The changes introduced in reCAPTCHA v3 need to be implemented by web developers before users will benefit from the new approach. The new system should reduce the number of captchas that users are exposed to. Ultimately, it depends on the web developer and the set threshold whether the new system will indeed be more favorable to Internet users.
Now You: How often do you encounter captchas on the Internet?
Every Fu**ing time I need to enter this damn captcha on all sites. And no, I dont use tor.
I hope this get a end
Using a VPN seems to be a trigger for captchas. Get this often just signing into a site / service, and on some, just visiting the site. Perhaps you are experiencing the same?
Nope. I get this on my home isp. I got captcha 2 times for one site everytime
In the example of ‘Land Before Time’, where is the ‘I haven’t seen that movie’ option?
But yes, I’ve often thought some sort of logic or general knowledge question might work as long as it was obfuscated enough to foil AI.
e.g. Man in the moon is not Armstrong made of this common food item. (Answer: cheese)
You must not have read the article, that image is just a joke from the xkcd site. The whole point of reCAPTCHA v3 is that you don’t need “obfuscated questions”, it can now auto-detect bot activity and shouldn’t even prompt most users from now on.
Google recaptchas are a way for them to collect countless hours of free tiresome labor from people, but also to fingerprint and track users, and their code is loaded from Google servers by lots of sites even when people never have to actually use them. They give incentives to disable privacy defenses because keeping tracking cookies may avoid having to solve them again, the anti-fingerprinting extension CanvasBlocker for example is forced to add an out-of-the-box exception for them to avoid breakage, and I suppose they will not even work with javascript disabled.
“reCAPTCHA v3 runs adaptive risk analysis in the background”
From Google, who knows what creepy profiling code this implies.
Why don’t you check the api and let the world know what creepy profiling code this implies? I know it’s easier to spread FUD, but please help the rest of world to be saved from this creepy code.
If you think that Google’s bad reputation about privacy is undeserved, why don’t YOU go ahead and tell us what exactly this code does ?
I don’t know what it does. That’s why I am keeping my mouth shut and don’t pretend to know everything. I have nothing to prove because I haven’t made any statement that it is creepy profiling code or it isn’t. YOU HAVE, SO PROVE IT. IF YOU DON’T YOU JUST SPREADING FUD.
Does “From Google, who knows what creepy profiling code this implies.” sound like a statement that I actually analyzed what the code does ? This was clearly phrased as a concern about what it *may* do considering Google’s reputation, not a statement that I “know everything”, so I do not have to prove anything to you, nor do I have to silence my legitimate fears, doubts or uncertainties just because it sounds bad for your favorite corporation.
Anyway, CIA Bro gave you what you wanted.
FYI: Google recaptcha attempts to place a permanent tracking cookie, as well as session cookies. It collects all the browser info it can get its hands on such as IP address, user agent, plugins, CSS info, etc. Ofcourse the tracking works better with the CIA’s Chrome browser integration and CIA’s Android phones. Due to all this it’s not surprising Google has been trying to sabotage VPN, Tor, and Firefox users (explain how using a VPN equals to being a “bot”!), because all those things can for now circumvent Google’s tracking.
@ Anomymous, Yes, CIA did. This is how it works. You prove your statements and don’t try to spread nonsense because it looks cool like a 5 year old child. This is not a gossip site. Thank you CIA.
Again, I didn’t make any statement that required proof, and I’m not at your service. None of YOUR useless comments contributed anything, except crying for people to do the work for you.
Anonymous wrote “None of YOUR useless comments contributed anything”.
Indeed useless comments that contribute are be far better :)
How about useful comments that contribute to nothing, like mine right here, lol?
He deliberately misinterpreted the last part of my first post just to troll, and now he found a little friend in his game. I’ll stop feeding them.
@Anonymous, your useless posts contribute nothing. Apart from crying about a potential boogeyman. Post like CIA’s contribute. Yes, this post don’t contribute anything too.
I encounter them more than I want.
But who is Mr. – or Mrs. Littlefoot? Never heard of him or her! So I have to guess for the good answer.
Or is it maybe the point that I have to wast main time to look up who Mr. or Mrs. Littefoot is?
This because when I am starting the guess what the right answer will be the wrong answer percentage will not go down I guess?
So is version 3 also a strikeout. And is tree strikes not out of the happening?
All those billions of dollars in their possession and even more people who work for them and they can’t come up with something that is not only easy to handle worldwide but also secure, it seems not!
That’s a joke from the xkcd comic. reCAPTCHA v3 should be invisible to the user (or most of them).
Here is a demo:
https://recaptcha-demo.appspot.com/recaptcha-v3-request-scores.php
And here is it failing to identify me as a human *beep*boop* (unless you set that threshold really low):
https://i.imgur.com/5ek7y1f.png
Thanks for the demo. Weirdly, it always fails for me in Firefox 63. I disable all addon and content protection and even start in safe mode (and private window) but still fail. It only passes when I use MS Edge. Hmmm…..
Interesting.
I get a score of 0.7 without cookies, and 0.9 if I have visited some sites (probably Google) previously.
Of course it’s not working. Try using normal mode instead of incognito
@Anonymous: “Try using normal mode instead of incognito”
If that’s required, and if it’s required that the system be able to read cookies that it did not set, then this reCAPTCHA system is worthless.
Stop blaming Google, blame developers and boycott their sites using Google recaptcha instead.
I encounter reCaptcha v2 everywhere, not just when creating accounts or submitting comments (thank you for not using it, Martin!). I even had to solve one when I was logged in to an account and wanted to change my email address! I really hate them. Most of them are not a simple tick box. Usually I have to solve a puzzle like click on all the bicycles. I especially hate the ones where a single image is divided up into multiple squares. Do I tick the square with a tiny piece of handlebar in it? I can’t tell you how many times I get “Please try again.”reCaptcha probably determines if I solved it correctly based on the responses of all the other idiots on the internet. I’ve also noticed that I get more reCaptchas when I am using a VPN, probably because other people are using the same VPN for nefarious purposes. If reCaptcha V3 uses more machine learning, I fear there will be even more false positives of humans being taken for robots, but I hope I’m wrong.
So, if I understand this correctly… you’re saying that reCaptcha v3 keeps track of user identifiable information (ip, browser, operating system, anything you leak it uses) and then has the web master report if the user behaves like a bot… if so then google marks your identifying information as a bot.
Can we get a great firewall going that removes Google from the face of the earth?
After reading Anonymous’ astute comments, it sadly reminds me of a childhood song:
Old Mc”Google” had a web, eyai, eyai, oh.
and on this web he had a bot, eyai, eyai, oh.
With a bot-bot here, and a bot-bot there,
Every where a bot-bot.
Old Mc”Google” (now) owns the web. Eyai, eyai, Woe… :<(
Valborex, you are an artist! The Web is a farm and unfortunately McDonald pollutes food as Google the Web.
@ Tom Hawack It’s understandable – You don’t like Google. You don’t like reCAPTCHA. You don’t like Win 10.
But not liking McDonald’s??!! – OMG! that’s, that’s REPREHENSIBLE!!
I’m gonna tell Ronald McD immediately. You’re in really big trouble now. Big trouble!
“How often do you encounter captchas on the Internet?”
I estimate once or twice a month. But I’m very, very cautious about what sites I go to and tend to avoid sites that require account creation, so that probably explains that.
“websites don’t want bots to register accounts automatically and to prevent that from happening, may add captchas to the page to throw bots off while keeping human visitors on the site.”
OK for registering an account, but why when logging in once the account is registered?
Google reCAPTCHA is system-wide blocked here. I am fed up with sites calling Google for fonts, scripts and captcha. I therefor have the choice,
between unblocking, satisfying Google reCAPTCHA, registering or logging in, on the site, closing the site and blocking back reCAPTCHA …
and boycotting the site.
I boycott. That is I don’t register on such sites. Example:a French Electricity company which uses Google reCAPTCHA for logging in. I’m a customer, I don’t see why I’d have to go through this, at least once registered. All private and administration sites I know have their own scheme for checking, for instance entering a numerical code on a numerical pad with non-static digits. My bank does it, many respectful places do it, why do some sites take it the easy way by calling Mommy Google for help? hey, site admins, move yourself and stop putting Google between us and you. It’ll be without me as it already is.
Quote: “I boycott”
Boycott your French Electricity company, they all over-invested in nuclear power plants:
https://en.wikipedia.org/wiki/List_of_nuclear_reactors#France
@manouche, I boycott a company’s website when applicable, the company itself is another level that I don’t consider necessary. Concerning this French Electricity company, EDF is it’s name, boycotting means that I’ve chosen to receive information and bills via snailmail rather than retrieving them in pdf format from their website. It’s a pity but it’s their fault, not mine. I wrote to them (email!), explained, nothing does it : reCAPTCHA and a mountain of trackers, ads … fed up. One of the very few to persist with such a policy when the others have their own checking in place!
Honestly I don’t think they care if they will move on without you.
They probably have enough users who don’t have a problem with Google.
They made a choice you or Google. They chose Google.
Like software developers who make their software compatible only with Microsoft’s Windows.
It’s basically the same, do you think they care if they will move on without Linux users?
Of course they care, EDF already loses 3000 customers a day, 1 million of customers last year.
Again, I have nothing against EDF and nothing against the content of their website which is rather well crafted. My concern is all in accessing my account on their website.
I suggest ✌ï¸
ghacks.net should test reCAPTCHA v3 for a week or so.
It might be some relief for a while and on the other hand interesting to find out, who is left in the ghacks commentariat … ♫
“Nothing against EDF”: well on the EDF site Google recaptcha hurts you but your Linky is much worse.
Anonymous, don’t mix up everything. I’m in the focus of Google reCAPTCHA and I give registering/logging in EDF as an example, I’m not in a societal/political/demagogy scenario in the face of a company and I point it out in order to be clear and not mistaken with hot heads which bounce on everything they find to lay their eternal digressions.
EDF’s website was crafted by creators, designers, its inside is well done as i previously said. Unfortunately orders were given as to how the site should handle registration and login and that’s where I intervene to state that I disagree with Google interfering at that level.
Clear enough or you wish a drawing?
Fuck you, faggot mods on here, why not release all comments, huh?
Fools, bloody fools. Fools!
Im Surprised cos even tho I use VPN and Tor , yet I dont see an excess amount of captchas…just one or two depending on site (in a week time frame) ; just cloudfare verifiers (w/o captchas).
It’s pretty smart really. Inventing a web where only people who accept all the google tracking can register/log in/use essential functionality.
“These are designed to verify that the visitor is indeed human and not a bot.â€
That is Google’s plausible cover story Martin to get the website to use their constantly running data-mining background analytics.
What they REALLY want to do is prevent anonymous surfing.
That is Google wants to digital fingerprint and identify WHO YOU ARE EXACTLY.
At the very least they need to ID you to push advertising.
‘A sign-up page is a prime example’
Here Google gets all the user personal information username, password and email.
I especially ‘like it’ when Google is eavesdropping at VPN login page!
They won’t let you login if you are using the VPN you paid for as this prevents Google identifying you
So they want you to login ONLY with your REAL IP Address.
I am dumbfounded that people cannot understand this scheme to positively ID you.
Again the bot is a good cover story to Id humans.
This version of recaptcha, as well as the later updates to v2, are a pox to privacy-conscious users as they instantly set your score to 0.1 for using an older useragent string to blend in which is an autofail / forced to keep re-solving impossible captchas even though you know for a fact that you selected the 3-5 correct street lights.
after entering a newer useragent string, it still gave me a fairly bad score in the range of 0.3 – 0.7, until of course I allow third party cookies for google.com and remain logged into my google account (punishing users some more for using the google container addon, etc…) then the score goes up to 0.9 and I no longer get unsolvable captchas. seriously, I hate google for this change as well as putting their cancerous tracking cookies directly on the google.com domain to evade third party cookie blocking.
somebody needs for sue them for this trash, why should I need to be logged into google to get easy captchas? absurd.
I hate recaptchas with a passion. The worst experience was attempting to register with The Verge. Their failure to disclose in their review that the MS Laptop was completely unserviceable destroyed all of their credibility in my eyes and it seemed appropriate to let them know. That isn’t going to happen. After solving 12 or 14 recaptchas, I was taken back to the submit page to start solving them again! That seemed like a good time to admit defeat.
I’m a paid member of another site that requires solving this crap before logging me in with my password. What sense does that make? The evidence suggests there may be people out there who are not very smart. ;-)
The score seems to plummet to the point that it fails if mixed content is blocked in the browser.
Using chrome, especially with a VPN, lots of captchas; with FF, very few, maybe a bit more with VPN.
Does google have anyone who really comprehends english grammar and syntax?
This: “…while letting your human users enjoy a frictionless experience on your site.”
I didn’t have to read that 10 times, just once, to think:
it means they have prior knowledge to discern a human from a bot and captchas are just screwing with users, human or code, to mine data. Or not, tech isn’t know for reality based communication for sure and google’s trust index is well into negative territory.
Google collecting even more information from you! How evil.
I can’t change the password on my old Spotify account because of GOOGLE’s CIA/NSA gatekeeping. Oh well, no Spotify, I don’t really care (haven’t used it in ages anyway).
‘Prove you are not a robot’- yep, just a cover story so that Google knows about as many THINGS as possible on the Internet. Order a pizza? Don’t forget to check-in with Recaptcha!
Use a so-called privacy protective email service like Protonmail.com? Recaptcha in the background, or you’ll fail to log in!
I have Google blocked, and will continue that way for as long as possible- even if that means getting off the Internet one day!
The best way to verify we are human, is with another human, but companies don’t want to pay humans to do that job.
Understand that captchas just don’t prevent bots, they are themselves bots! This is basically an arms race between AI, that can’t go on much longer, where Google and Cloudflare will eventually lose in this game.
Eventually, what I reckon will happen, is that captchas will no longer work, and everyone will be required to register (in person) to get some sort of web ID with biometrics, issued through banks or the like. In other words, there will be no more anonymity on most or all of the web.