Google's reCaptcha v3 does away with puzzles that humans need to solve

Google has released the newest version of its take on CAPTCHA, the puzzle that humans need to solve on some pages to tell a website they're not a bot. 

CAPTCHA, or the Completely Automated Turing test to tell Computers and Humans Apart, relies on human’s ability to solve visual puzzles, like blurry text or in Google's version of it Street View addresses, so that websites can filter out bots.    

Since Google acquired reCAPTCHA in 2009, it has undergone several major updates, the latest of which doesn’t require humans solve a puzzle, but merely check a box that says “I’m not a robot”. 

ReCAPTCHA v1 demanded users read distorted text and type it into a box, which helped the company digitize book and newspaper archives.

ReCAPTCHA v2 introduced other signals to analyze the risk of a site visitor being a bot. This allowed Google to only require about half of users having to solve a puzzle. 

ReCAPTCHA v3, announced today, takes this a step further by giving site owners a risk-based score that says how dodgy or not a visitor is, and effectively does away with puzzles or challenges altogether.

Google claims the ReCAPTCHA v3 will give a site’s users a “frictionless experience”, meaning owners can and are recommended to add ReCAPTCHA v3 to multiple pages rather than just one.    

“The reCAPTCHA adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities across different pages on your website,” Google told webmasters in a blogpost. 

Because it is score-based and doesn’t rely on barriers to tell humans from bots, using it across multiple pages shouldn’t harm a site’s conversion rate when attempting to sign up new subscribers. 

Site owners can then look at the reCAPTCHA admin console to see a score distribution and a summary of the top 10 actions users — or bots — took on the site. A score of 1.0 is most likely a human, while 0.0 is most probably a bot. 

This in turn will allow owners to see what precise pages have been targeted by bots and assess how suspicious the traffic on those pages was. 

The advantage of using scores is that site owners can now use that information to select what obstacles they want to put up rather than having Google select the action for them as was the case with v2. 

Site owners can set a threshold score that, for example, lets a visitor through without any action. If a set threshold is passed, a site owner could require the visitor uses two-factor authentication or a phone notification for verification. By default, Google sets the threshold at 0.5. 

Site owners can also use the reCAPTCHA scores in conjunction with their own data, such as user profiles or transaction histories, to decide an appropriate strategy. And they can use the reCAPTCHA scores to train their own anti-bot machine learning model.        

reCAPTCHA v3 introduces the concept of “Actions” to pages with reCAPTCHA on them. Sites can pick an action name on pages they run reCAPTCHA, which provides the breakdown of top 10 actions in the admin console, and have a risk analysis based on the context of a generic action. 

“By providing you with these new ways to customize the actions that occur for different types of traffic, this new version lets you protect your site against bots and improve your user experience based on your website’s specific needs,” Google notes.