Does reCaptcha Enterprise pricing include failed verifications?

Question

The reCaptcha Enterprise pricing is like "first 1 million free, then $1 per 1,000 verifications".

Does that pricing include failed verifications? Like, can an attacker feed the random values to a server repeatedly (all of which will fail) and rack up huge verification costs?.

What about if they submit the same legit-but-old payload?.

Answer 1

re Captcha enterprise works to detect automated attacks as you mentioned, also to differentiate between human and bots and you will be charged on a monthly basis for each call you make to create an assessment.

You can find the cost details in the following public doc, so Re captcha enterprise is used to protect your site from spam, and other type of malicious activities, keep in mind that reCAPTHA Enterprise returns an score from 0.0 through 1.0 and depending on the score and based on it you can determine the next steps to take action on the user.

In this link you can find how reCAPTHA Enterprise works. Also, you can use cloud login to analyze this traffic and take the proper action.

Answer 2

The answer is, yes, they charge for each assessment call. Theoretically, someone who wants to cost you money, can rack up a lot of charges, although you can add some countermeasures.

You'll want to develop a reputation score per IP address where if you get multiple failures from a given IP, you'll auto-fail for some amount of time without calling to the API.

You'll also want to develop a cache that hashes the challenge/payload and looks it up in cache to see if you've already seen it, and if so, to deny future identical requests.