Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does Google's reCAPTCHA v3 work?

Google has rolled out reCAPTCHA v3. It does away with all the user friction. I wish to use it to secure my site. However, I am unsure about how this is going to protect my site. What if a hacker spams the URLs on my site with an external tool without using the interface I provide? How is reCAPTCHA v3 going to stop that?

like image 723
Chong Lip Phang Avatar asked Jul 04 '18 10:07

Chong Lip Phang


People also ask

How is reCAPTCHA v3 score calculated?

“The score is based on interactions with your site and enables you to take an appropriate action for your site.” Recaptcha will rank traffic and interactions based on a score of 0.0 to 1.0, with a 1.0 being a good interaction and scores closer to 0.0 indicating a good likelihood that the traffic was generated by bots.

How does Google's reCAPTCHA work?

reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.

Is reCAPTCHA v3 any good?

Is reCAPTCHA v3 better than v2? Neither of them is good at blocking bots. While reCAPTCHA v3 is less intrusive than v2 for a user, it places a significant burden on the webmaster to determine when to let users through and when to block or challenge them. There's no right answer to this.

How does reCAPTCHA v3 invisible work?

Invisible reCAPTCHA analyzes activity on a job post, like mouse movements and typing patterns, to determine if a user is a robot. The most suspicious traffic will be prompted to solve a CAPTCHA in order to submit an application.


2 Answers

How is reCAPTCHA v3 going to stop [Spam] ?

There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.

What if a hacker spams the URLs on my site with an external tool without using the interface I provide?

Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.

like image 189
Jonas Wilms Avatar answered Oct 20 '22 10:10

Jonas Wilms


In addition to the user behavior tracking on your site (as explained by Jonas Wilms), the v3 (and v2) also makes decisions based on your IP, ASN, browser and any kind of information about your system based on the information sent via your HTTP request.

The only difference is that V2 is a complete solution i.e, if it thinks a user may be a bot, it will pose additional challenges until it is convinced the user is a human. On the other hand, V3 is non-intrusive. It generates a score based on the parameters discussed above and passes it onto you. It is then your decision to take appropriate steps (like post challenges, or have two-factor authentication, etc.) based on this score.

IMO, it is better to start with a V2 solution and implement V3 if you want more control or have a better way to challenge the user if they have a low score.

(Here is an interesting article on the differences)

like image 44
nitarshs Avatar answered Oct 20 '22 09:10

nitarshs