Google this week announced an update to reCAPTCHA, a free service that protects websites from spam and abuse. Google, which until now used to prompt users to confirm whether they were robots is now rolling out reCAPTCHA v3, which is a new system that does not require any user interaction any more – similar to the Invisible reCAPTCHA it rolled out for Android and mobile last year. Now, instead of challenging users to figure out text or images, reCAPTCHA v3 will learn a website’s normal traffic and user behaviour. The update essentially makes it easier for users to log into sites without having to prove they are a real human being every time.
First introduced over 10 years ago, Google’s reCAPTCHA v1 used to ask users to pass a challenge by reading distorted text and typing into a box. When the company launched reCAPTCHA v2, it used some other signals to determine whether a request came from a human or bot. However, now with reCAPTCHA v3, Google claims that it is changing “how sites can test for human vs bot activities.” It will use a new technology that returns a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all.
reCAPTCHA v3, Google said in a blog post, runs adaptive risk analysis in the background to alert webmasters of suspicious traffic. In reCAPTCHA v3, Google is also introducing a new concept called ‘Action’. It is a tag that developers can use to define the key steps of user’s journey and enable reCAPTCHA to run its risk analysis in context.
Notably, since reCAPTCHA v3 does not interrupt users, Google recommends adding reCAPTCHA v3 to several pages. Wei Liu, Google Product Manager, explains in the blog post, “The reCAPTCHA adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities across different pages on your website. In the reCAPTCHA admin console, you can get a full overview of reCAPTCHA score distribution and a breakdown for the stats of the top 10 actions on your site, to help you identify which exact pages are being targeted by bots and how suspicious the traffic was on those pages.”
Another good news is that reCAPTCHA v3 API is more customisable and offers flexibility to prevent spam and abuse in the way that best fits websites. Prior to this, reCAPTCHA usually decided when and what CAPTCHAs to serve to users. Now, reCAPTCHA v3 will provide you with a score that tells you how suspicious an interaction is.
You can use the score in three ways on your site. You can set a threshold that determines when a user is let through or when further verification needs to be done. You can also combine the score with your own signals that reCAPTCHA can’t access, such as user profiles or transaction histories. Additionally, you can use the reCAPTCHA score as one of the signals to train your machine learning model to fight abuse.