Skip to content
Naked Security Naked Security

Google’s stealthy reCAPTCHA v3 detects humans – no questions asked

After 20 years of waiting you'll no longer feel your will to live drain away as you solve tedious visual puzzles. Maybe.

After 20 years of impertinently asking web users to prove they’re human beings, Google thinks it has finally worked out how to rid the web of CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) forever.
Called reCAPTCHA v3, it’s an API that claims it can model a website’s interaction with users so well that it will never need to ask anyone to tick a box let alone drain their will to live by solving a tedious visual puzzle that keeps repeating itself.
Instead, it will risk-score each visitor from 0.0 (bad) to 1.0 (good), passing that score back to the website owner to decide how to react.
Google hasn’t explained how it arrives at the score (presumably to make it harder to game) but the implication is that once it has modelled each site’s visitor traffic, humans should score 1.0 or thereabouts and be allowed through without interruption.
As far as the visitor is concerned, nothing will have happened. They will log in as if there were no CAPTCHA at all bar the logo telling them it’s running.
Anything below a threshold chosen by the site owner, say 0.7, and the website can block or restrict access to certain parts of the site or ask for additional verification by implementing an “action” tag to pages.

Not now Google

Websites have long been plagued by bots that scrape email addresses and content, post spam and, more recently, try to brute-force user passwords on a huge scale.
The fight back began in the early 2000s through the CAPTCHA, which made visitors decipher squiggly text.
It was universally hated.
A version called reCAPTCHA was bought by Google in 2009, which turned it into a free service for websites and added more complicated visual puzzles for visitors to solve – that’s where the “select all images with a street sign” puzzle squares originated.
Visitors still hated it. Worse, bots and scammers eventually hit on simple ways to beat it including paying real humans to fill in the CAPTCHAs.
In 2014, reCAPTCHA v2 went live and the “I’m not a robot” click box was born with the claimed innovation that it studied the user’s “entire engagement” with the website to separate friend from foe.
Finally, in 2016, Google announced “invisible” reCAPTCHA, the first appearance of the technology that turned into reCAPTCHA v3 this week.

There are two advances here – more sophisticated background bot detection courtesy of Google’s magic cloud and a lot more control for website owners as to how they fine-tune Google’s API.
From the point of view of the website visitor, v3 means that CAPTCHAs have gone from interactive tests to click boxes to – Google promises – something they shouldn’t even be aware of.
However, as far as the website owner is concerned, there’s a lot more going on here.
Until now, implementing CAPTCHA was a case of taking it as one size fits all.
Website owners now have to define their scoring thresholds for different parts of a site (login, social, payment), which might include transaction histories and use profile culled from non-Google data.
Google says that you can even…

…use the reCAPTCHA score as one of the signals to train your machine learning model to fight abuse.

(You do have one of those, right?)
These changes make this as much a cultural change as a technical one: website owners must learn to own their bot traffic and not simply outsource the problem to a third party. Developers have been warned.


I reckon Google’s jumped the shark on this one. They’ve created something more nuanced and sophisticated and removed the really, really useful part.
They’ve gone from offering a component that makes the yes/no/maybe decision for you, and then takes action if it’s a “maybe” by showing those pictures of road signs and cars etc, to an API that gives you a score and asks you to do that *really difficult* stuff instead.
Anyone who’s good at that really difficult stuff will think this is great, but they were the ones who were best placed to cope without it.


“Anyone who’s good at that really difficult stuff will think this is great”
Nope, because if you’re really good at it they’ll assume you’re deliberately working to defeat captchas, people like gamers have reported that being fast at completing recaptcha will result in them throwing a bunch more problems at you instead of letting you pass to the site. Summary: it’s a complete bastard spawn from hell.
As a privacy conscious gamer who plays ‘Hidden Object Games’ I absolutely loathe these things, Google makes it near impossible to get to some sites.


I think you meant humans get a score of 1.0
Also, how does this capatcha play with noscript and firefox’s tracking protection? Those seem like things that would make the capatcha struggle


Fixed, thanks!
CAPTCHA is typically implemented as 3rd party JavaScript code, so the answer to your question is what it always was: “not well”.


True, but usually with current capatchas I figure out that they are there so I can temporarily enable them. A hidden capatcha could theoretically leave no trace, leaving me even less to work with.


There are other services that provide this service without going through the data sucking portals of google.
Hate Captchas with a passion and actually drop out of sites using it.
Their loss


Looks like a nice idea to make website access easier. Another AI application that works who knows how and no reference to whether the algorthym is unbiased or ethical. For me the elephant in the room is personal data – what data goes to Google to allow this API to work and what happens to that data after the API has finished?


“…drain their will to live by solving a tedious visual puzzle that keeps repeating itself.” I agree with that statement. 100%.


Good ideal with all the scammers out in this world. Computers are controlling other computers as ways to find out ones personal information and use it against you then you will be a victim of a scam!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!