Skip to content
Naked Security Naked Security

Invisible reCAPTCHA means no more clicking on kitten pictures to prove you’re carbon-based

Google's Invisible reCAPTCHA means most humans won't have to jump through hoops - the algorithms will determine if you're a robot

It’s a happy day for reCAPTCHA haters who can’t stand repeatedly having to prove they’re not bots by clicking all the pictures that contain a kitten. As of last week, sites could choose to make all that testing slip below the surface and go invisible.

Back in December, Google said that it was working on a new version of the are-you-a-human-or-a-bot test, and as of last week, Google made it available for website developers.

Called Invisible reCAPTCHA, the free service is designed to protect sites and apps from spam and abuse without any need for users to click in a quivery human fashion, select all the images that depict a given object, or whatever other thing developers have had us do to prove we’re real.

Google says that Invisible reCAPTCHA uses advanced risk analysis technology, combined with machine learning, to separate humans from bots. That means no more need for us to click on anything at all (or to select images associated with a clue image, as mobile users have been doing).

Google’s been using risk analysis to fend off bots for years. In 2013, it revealed what it called its Advanced Risk Analysis backend for reCAPTCHA.

That back end doesn’t just look at whatever gobbledygook we type into a box or how human-like our mouse clicks are. Rather, it observes our entire engagement with a CAPTCHA, from start to finish – before, during, and after we click anything – to determine whether we’re carbon-based.

Specifically, the difference between bot and human can be revealed in clues as subtle as how a user (or a bot) moves a mouse in the brief moments before clicking the “I am not a robot” button, according to Vinay Shet, the product manager for Google’s Captcha team.

Without realizing it, humans also drop clues that can establish whether we’re automated or not: IP addresses and cookies show our movements elsewhere on the web and can help prove that we’re not a bad actor.

As it is, reCAPTCHA hasn’t proved infallible.

The image challenge was gamed about a year ago when researchers used Google’s own massive image search database in reverse, finding words to match an image, rather than images to match a word, to help them find images in a reCAPTCHA set that shared a particular characteristic.

More recently, the reCAPTCHA audio challenge purportedly fell, and yet again, it stumbled on one of Google’s own services: this time, it was Google’s speech recognition API.

Then, in January, somebody apparently rigged up a robotic arm using a capacitive stylus to move across a mousepad in that quivery, human-like manner that reCAPTCHA risk analysis uses to help figure out if we’re human.

As sites switch over to invisible reCAPTCHA, most users won’t see CAPTCHAs at all, not even the “I’m not a robot” checkbox. But you can expect to jump through those hoops again if you’re flagged as “suspicious” and the system presents you with the usual challenges.

Will researchers still be able to game invisible reCAPTCHAs now that they’ve slipped out of view? Time will tell, but here’s hoping they can’t. If researchers fail to game Invisible reCAPTCHAs, it hopefully means that bot masters can’t, either.

And stopping bots is, of course, the ultimate goal.

Bots tirelessly work to harvest email addresses from contact or guestbook pages, scrape sites and reuse the content without permission on automatically generated doorway pages, take part in Distributed Denial of Service (DDoS) attacks, and automatically try to log into sites with reused passwords ripped off from breaches.

Hopefully, Invisible reCAPTCHA is going to prove tougher to game than previous reCAPTCHA iterations, and present a high enough hurdle that bots fall flat on their bot faces.


Meh… Just record a real person doing something and replay with slight variations if necessary. Should be easily subversive.


The captcha tricks mentioned in this article never bothered me as much as having to reproduce what was essentially undecipherable text.


I’m curious about whether their initial data sampling included people that use screen readers (like JAWS), magnifiers (ZoomText), head/eye tracking hardware & software, virtual keyboards (like Windows’ On-Screen Keyboard), auto-type functionality of password mangers, and even things like eye-blink input devices.

There is a whole world of legitimate internet users out there that likely fall well outside of the preconceived “standard user model” that most companies use.

True, this is Google, but they’re not infallible either.


Strange thing: ever since the “Invisible reCAPTCHA” rollout, all I ever get is multiple pictire challenges.


Will it stop the biggest scraper company? Nice thing for Google to stop other bot crawlers, so they wouldn’t intervene with their own scraping…


No need for CAPTCHA for that. Googlebot will respect robots.txt, and the noindex and nofollow attributes. There is no commercial sense in Google indexing sites that don’t want to be indexed, which is why there’s such a thing as the Deep Web (and a search engine called MEMEX to search it).


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!