Google no Captcha + INVISIBLE reCaptcha – First Experience Results Review

Article Updated: 2019 Mar 10

2015: GOOGLE noCAPTCHA reCAPTCHA

Google recently introduced a new Anti-Bot verification system called “No Captcha reCaptcha” that should answer two major issues with the old system. How does it perform? Read to find out.

Google reCaptcha is part of the history. Or is it, really? Trouble with reCaptcha is the very fact that it may drive users to the extreme edge of sanity. Distorted text is too hard to read sometimes, and even if your eyesight and judgement is crystal sharp, you’ll at least once stumble onto the pattern that is ambiguous and impossible to 100% properly decipher.

But wait, this was not the main issue with reCaptcha protection. Artificial Intelligence and the age of the system gave enough time to the dark architects inside Matrix to analyze it, study it, decompose it and finally crack it. Today Google admits that AI can solve and bypass old reCaptcha v1.0 API with over 99% accuracy! So much is left of the term ‘anti-spam protection’.

And, is the new captcha a complete redesign or just a facelift front-end for the old reCaptcha system? After all, it still holds the reCaptcha brand and logo.

MEET THE NEW CAPTCHA: no CAPTCHA

With above issues in mind, Google engineers started their magical work in the Google Land working on a new system that will be more friendly to the end users (which are us – humans) and still hard to crack for the bot scripts (artificial intelligence a.k.a. computers).

no CAPTCHA reCAPTCHA API may look extremely simple and easy from front-end. However, behind it resides a high degree of sophistication and complexity involved in the back-end i.e. behind the simple checkbox. To ensure greater experience for end-users Google started working on a new top-secret project last year and developed an Advanced Risk Analysis backend for reCAPTCHA that thoroughly scans the entire engagement of the user with the CAPTCHA to determine whether the user is a human or a robot.

So, I’ve implemented the new API in one of my projects (advice: you need to regenerate new API keys at https://www.google.com/recaptcha/admin othervise if you use old keys, it will stop working and throw an error in your application’s log) and here are my first impressions:

The No Captcha system consist of two layers of protection:

1a) Single check box which users have to click onto with their pointing device (usually a mouse or touchpad)

1b) or in case of mobile devices with touchscreens alternative versions with selecting the proper image

2) If the first layer of protection is not passed or the results are ambiguous, the user is presented with a traditional two-words distorted text that has to be filled-in by typing the proper letters sequence.

Now, here comes my first doubt: The checkbox verification is not reliable at all in my own experience. The second layer of verification pops-up too frequently (as it cannot reliably determine that I am not a robot), which defeats the purpose of the simplification of the system in the first place.

Second doubt is about traditional second layer verification: if the standard text-based Captcha is broken by Google’s own claims, why is it part of the new Captcha protection at all? It is a little contradictory itself. I wonder why they do not replace traditional text input with at least image matching system?

GOOGLE reCAPTCHA ANALYTICS

New reCaptcha also offers spam traffic and passed/failed captchas charts, so that you can get overall insights into how heavy your website is/was hit, and how much of the traffic was filtered. Below results are just examples, during development of our protection scripts we simulated a lot of failed or incomplete captcha submissions.

Keep in mind that you will need at least several 100s of failed and completed captcha requests per day to pass the “minimum traffic” requirement to display any statistics in your captcha administration dashboard at all.

In case of a problem, for example, when your users pass the reCaptcha test, but your website or app fails to verify them, you will see the following notification above your analytics chart:

We detected that your site is verifying reCAPTCHA passed solutions less than 50% of the time. This could indicate a problem with your integration with reCAPTCHA. Please see our developer site for more information.

reCaptcha Analytics – Requests Passed & Failed Warning

This happens if you have issues with response verification at later stage e.g. your own website fails to properly process returned response from Google, when reCaptcha response test actually pass. This can happen for various reasons. For example, when you use reCaptcha on your server as a top layer to verify users coming from dirty IPs known for spamming activities. In our case it was caused by small analytics script which was sending response to the server before captcha was fully processed on the server, causing our server to respond with premature 403 Access Forbidden status, and eventually blocking all such users from access, even when they passed the actual captcha test. We solved it by removing the offending js code, replacing it with our simple internal statistics tracking of failed and passed captchas, instead.

Our only regret is that Google (for the time being) does not send this important notification directly into the mail box of account used for reCaptcha registration, as we don’t actually hang out in reCaptcha Admin Dashboard every day. Otherwise, it would have raised the flag and brought the problem to our attention much earlier.

GOOGLE noCAPTCHA reCAPTCHA RESPONSIVE DESIGN

Google noCaptcha reCaptcha is not officially responsive, yet. (Damn it, Google! Come on, you can do it!)

First option

You can use some CSS hacks to make it kind-of responsive. Inside your HTML page layout / form you should already have something like this:

<div class="g-recaptcha" data-sitekey="XXXXXXX" data-theme="light" data-size="normal"></div>

and inside your CSS you can put this style code:

.g-recaptcha>div>div{width:100% !important;max-width:302px;overflow:hidden;padding:0;border-top:1px solid #D3D3D3;border-right:1px solid #D3D3D3;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;-webkit-box-shadow:2px 0px 4px -1px rgba(0,0,0,.08);-moz-box-shadow:2px 0px 4px -1px rgba(0,0,0,.08);box-shadow:2px 0px 4px -1px rgba(0,0,0,.08);}

.g-recaptcha iframe{width:100%;height:100%;}

This will work fine for practically all modern browsers, and the only drawback with above is that the right-side of the captcha (where terms & logo appears) would be little cut-off, but not by much on 320px wide screens. Most importantly, it will not break your page responsiveness.

Second option

If you don’t mind the square-like appearance of the captcha box, you may use the compact mode like this:

<div class="g-recaptcha" data-sitekey="XXXXXXX" data-theme="light" data-size="compact"></div>

This will fit on any screen, even just 160px wide. Still, the bottom does not hold any important information besides logo etc. so you can go with first option, anyway.

Third option

We found an interesting solution using CSS3 transform here:

<style>
@media (max-width:360px) {
  #rc-imageselect, .g-recaptcha {
-webkit-transform:scale(0.7);
   -moz-transform:scale(0.7);
    -ms-transform:scale(0.7);
     -o-transform:scale(0.7);
        transform:scale(0.7);
-webkit-transform-origin:0 0;
   -moz-transform-origin:0 0;
    -ms-transform-origin:0 0;
     -o-transform-origin:0 0;
        transform-origin:0 0;
  }
}
</style>

Notes

You can experiment with scale factor (from 0.00 to 1.00) and scale down reCaptcha size to best fit your design. You can even scale it up, if you like, but that’s highly unlikely.

We also used max-width, instead of max-height like in original version, but you can experiment with that CSS rule, as well.

GOOGLE reCaptcha OPERA MINI ISSUES

The only solutions left for Opera Mini and reCaptha are:

1. to either bypass captcha for verified Opera Mini users (coming from Opera Mini proxy servers) or check User Agent string to detect them (can be challenging or not completely possible)
2. or to instruct them to switch to High data savings mode (at least, temporarily)
3. or use supported mobile browsers (Android Stock Browser 4.0+, Chrome, Firefox, Safari)

We assume that similar fate awaits other older browsers like abandoned Android Stock Browser, older Safari/iOS, Chrome and 3rd party browsers, as well.

2017: INVISIBLE reCAPTCHA

2017. update: Google introduced INVISIBLE reCAPTCHA (see live demo)! From what we’ve seen so far, it is just a top layer over the current noCaptcha v2.0 API, giving you the option to bind captcha directly to the form’s submit element, providing additional layer of comfort to the end user (reducing so-called User Experience / Interaction Friction) if it is not a bot.

Invisible Captchas, both as a concept and design solution, is not anything new or exclusive to Google. First ideas were hidden extra form fields, that were usually filled-up by dumb bots, but skipped by humans. However, with advancements in bot technology, those became quickly obsolete, as they learned to look into css rules at first, and later even execute javascript. Newer invisible captcha systems were deployed by independent developers, and now, idea was traveled it’s way up to the Google’s office.

Invisible Captcha, inherently, requires JavaScript-enabled browsers. It will not work without it, and some legit users (mind you, their % is shrinking by each and every day), will be cut off from engaging with your forms and website(s). This will also affect Opera Mini browsers, as it does not support real-time js execution/running.

Google finally rolled-out INVISIBLE captcha production version in March 2017, which is nothing revolutionary in terms of behind-the-scenes technology, but rather just a simple on-top implementation layer. Nothing is changed in the background on your server side and captcha’s response protocol.

For example, old noCaptcha was implemented as an additional input inside protected form, while now it is bind directly to the form’s submit button. The most complicated part in upgrading will be figuring out how to add a callback javascript code that’ll do the verification magic in the background, and few small changes to your form’s submit button.

Recommended Reading

Google Invisible reCaptcha – How To Boost Lighthouse Performance Score?

GOOGLE INVISIBLE reCAPTCHA RESPONSIVE DESIGN

Well, Invisible reCaptcha does not generally need any responsive tweaks in most cases. Simply, because there is no longer checkbox that users actually have to click. Second reason is that even if you use inline badge display option, it’s only 256 pixels wide, which will fit perfectly on any modern mobile device screen.

However, if you wish to hide (effectively disable) horizontal scroll in case of very narrow screens, you can simply set inside your CSS file this (notice the different class selector for invisible captcha):

.inv-recaptcha-holder{overflow:hidden;}

CAN YOU HIDE INVISIBLE reCAPTCHA BADGE?

reCaptcha v2.0 API Badge

Unfortunately, INVISIBLE captcha v2.0 is not exactly invisible. Do we really need reCaptcha Badge? As per Google’s requirements, Privacy & Policy badge must be included on every page that is protected by this system. If you dreamed about completely invisible spam protection, well… you’ll have to keep dreaming. Given the fact that GDPR rolled-out recently in EU, it will probably never happen! Until Google lowers this requirement, and say, you can simply place captcha privacy policy and terms somewhere below in the footer of the page, or just mention them in the existing PP & Terms pages of your app or website, you’ll have to live with the compromise and either show it inline, or as a fixed positioned element on the bottom left or bottom right.

In inline mode you can style it with custom CSS rules, which means that you will probably try to apply:

.grecaptcha-badge{display:none!important;}

style to completely hide it. Not! This will break captcha challenge, and your form will be instantly submitted without proper captcha response from Google.

Better alternative is to hide it with visibility, but it will leave an empty space (using relative or absolute positioning, zero width and height could solve this):

.grecaptcha-badge{visibility:hidden;}

Another problem that we’ve noticed is if you use multiple captchas on page (say, you have more than one form), bottomright/bottomleft badges will be multiplied and stacked one over another. When you hover over one, the second one will still be behind it, semi-transparent. Not very nice.

Bottom line, learn to live with it.

reCaptcha v3.0 API Badge

Google now officially allows hiding the reCaptcha badge IF AND ONLY IF you post this text below the submit/sign-in/registration/comment/etc. form – more information here.

INVISIBLE reCAPTCHA CONCLUSION (2017)

Note: this conclusion was originally written back in 2017 for Invisible reCaptcha v2.0

All other talks aside, strictly speaking from our own experience, reCaptcha does seem to be working great 99.9% of the time. After Google’s initial implementation and several upgrades to the existing system (removing old text-based 2nd layer verification, upgrading to image/pattern recognition technique, introduction of time-limit, introduction of continuous/”infinite” captcha verification mode), reCaptcha evolved to a really robust platform for the time being.

Not to be underestimated either, Google owns several prominent platforms (Android, Chrome, Chromium OS), where real, human users are usually already signed-up/signed-in, and their tracking greatly simplifies the process of reliable spam prevention and human/bot verification.

With constantly analyzing human behavior, mouse movements, typing speed or whatever “magic” they have incorporated into NO CAPTCHA technology, Google apparently already collected enough sample data to perfectly fine-tune their latest invention.

2018: INVISIBLE reCAPTCHA 3.0: Truly Invisible!

2018. update: After relatively brief public beta testing period, Google officially announced INVISIBLE reCaptcha API version 3.0 (v3) which introduced AI/ML probability scores [1] [2], hostname, timestamp and actions validations. It is relatively easy to upgrade your existing v2 reCaptcha implementations (if you used standard/basic implementation in v2.0), adding additional security layers and lowering the chance of bots passing through, with greatly reduced user friction.

Apparently, Google feels confident enough with the vast amount of data gathered from previous reCaptcha iterations to remove currently annoying image recognition verification and instead offer a direct score which evaluates visitor as a human or a bot. However, reCaptcha v3.0 is not going to replace v2.0 anytime soon (according to Google), so don’t worry if you still use older API.

You might be asking why Google suddenly moves away from image verification algorithm? Isn’t it the ultimate test for bots that cannot pass and break this system? Actually, no! Computer Vision / AI (Artificial Intelligence) algorithms are now getting so advanced, that they can even recognize tiny objects in the image our grandma couldn’t without magnifying glass! Take a look at this TensorFlow example. Of course, they are still far from being efficient in terms of computer resources and speed, but that day isn’t far far away as you might think.

Keep in mind that version 3.0 would not be possible without version 2.0 co-existence in our opinion, since it is still the golden benchmark of human interaction (despite possible vulnerabilities – read further below) which “feeds” the newer version with high-confidence data.

How Invisible reCaptcha v3.0 Works?

reCaptcha v3.0 does not show anything to the users! There is no challenge to select specified objects on images like it does in older APIs. Instead, it returns probability scores between 0.0 (100% bot) and 1.0 (100% human) from all actions on your website, and it is up to you / administrator to decide if it comes from a bot. How? By manually setting the probability score threshold in your configuration, since every website is a bit different and if your website is under heavy attack, you / admin can temporarily raise the value — for example — to 0.7 or 0.9 in extreme cases.

There is a raised issue of user & assets privacy, because new reCaptcha requires to be implemented site-wide (for example: on homepage, search, product/article page, login/registration page and so on) in order to be able to closely monitor all relevant actions.

Google Invisible reCaptcha v3.0 Live Demo

See live demo here.

reCaptcha v3.0 Live Demo Testing Tips

If you visit above demo link from Google Chrome browser while you are logged-in with your Google Account (e.g. Gmail, YouTube, Google+ etc.), you will most likely receive a high score of 0.9 or so (which means you are not a bot! Hooray!).

However, if you open the above link in a fresh session of incognito or in-private browsing mode, you will receive a very low score of for example 0.1 or 0.3 (which means that Google thinks you could be a bot or risky user with no good intentions). And, if Google says that you are a bot, than there is nothing else to do in your life, accept that as a matter of fact and move on. Because, if Google says you are a bot — then, you are a bot! :)

Another very interesting point are mobile browser apps. What is really peculiar is that if you try above demo with Ghostery app (famous for privacy protection), we received score of 0.7 without being logged-in in any Google services. On the other hand, on the same phone with Google Chrome app in incognito mode, we received a score of 0.1! Now, demo page above is not representative (as disclaimer is stated at the very top of it) and should not be used to draw any definitive conclusions. Still, interesting.

Google Invisible reCaptcha v3.0 Issues

How to pass reCaptcha v3.0? As we mentioned in above live demo section, there is one important downside to this silent spam/bot test system: there is no false positive fallback and opportunity for actual humans to prove system wrong.

In case you receive a low score for whatever reason (e.g. you inherited an IP address that was heavily abused by spammers recently), there is nothing you can do on your end, unless you change the environment variables (e.g. internet network / IP address / public computer / different phone etc.). That is relatively easy if you are knowledgeable tech-oriented individual, but what about average Joe/Jane? It is not gonna be easy for them. User friction can become infinite for individual cases.

One great thing about reCaptcha 2.0 and image verification was the fact that humans can still receive a challenge and a chance to prove they are not bots. There is no such fallback at the moment in reCaptcha 3.0, e.g. if the system thinks you are a bot – then, you are a bot, no matter what!

One possible solution is that you login into your Gmail account (any other Google account is essentially tied to Gmail nowadays) and that may fix your problem. Another solution is to try to clear browser cache and set to accept 3rd party cookies and try again. Not exactly average user friendly, but still doable in a way.

It remains to be seen what will Google do about this problem.

Are There Any Good Google reCaptcha Alternatives?

In short: No, not really. Yes, there are hundreds of different captcha systems out there, but none of them are as advanced, user-friendly and simple as current reCaptcha. More over, Google now automatically hides reCaptcha form for users who are signed-in (logged-in) into their Google Account(s) and are verified non-spammers.

You may consider several different techniques, such as custom captcha plugins. They work on the same principle with distorted text and numbers as an old google captcha, but images (with text and/or numbers) are generated synthetically and custom level of distortion (ripple, twirl, noise) can be tweaked. Or, maybe you can try your luck with simple custom hidden input form fields, which are effective for a limited time only. Also, various math captcha plugins can be tried and so on. However, keep in mind that machine learning is so common nowadays, with several open-source libraries readily available, it is just a matter of time when these systems will be forever broken. All that’s required is that someone gets interested in your system, and it’ll be broken in a matter of days at best.

The effectiveness of these other systems is limited to how robust and complex they are, but also keep in mind user friendliness factor.

reCaptcha Vulnerabilities

reBreakCaptcha

Clever approach proposed by guys from East-Ee Security (python script GitHub repository here) used audio challenge response and Google’s very own speech recognition API to beat and effectively bypass reCaptcha API 2.0. For the time being this barely works, because reCaptcha challenge is a bit random and unpredictable, so completely automated solution still does not exist (at least, publicly).

Actually, beating captcha by audio is not a new idea. It was already done before, and also demonstrated last year by AppSec Labs. Problem for these kind of attacks is that they need large volume of requests (it is a mix of brute force attack and clever design, recognition is not always 100% accurate). Also, when Google detects increased number of requests, reCaptcha starts serving more complicated audio that cannot be easily recognized by speech API.

Similarly, reCaptcha v2.0 object recognition verification can be theoretically beaten with Google’s own Vision API, which can recognize objects in images and return them to the end-user (attacker in this case). Problem is, using this API is prohibitively expensive for massive attack campaigns, and similarly to speech recognition above, images are getting progressively difficult in case of brute-force detection (e.g. objects are harder to distinguish, random noise is added to images, recognition sequences become longer and so on).

But, this might be the key vulnerability of an entire system – beaten by it’s own weapon. It remains to be seen what will Google do about it.

Will reCaptcha Actually 100% Prevent SPAM?

Yes and No. We really dream about a spam-free world, hopefully it will become a reality one day. There are some serious arguments that no Captcha system does not bring anything BIG and just simplifies the front-end for the end user – effectively keeps a whitelist track of a good behaviour non-spam activity history from a user/device/account/IP address, which are recorded and stored inside Cookies, Sessions and private database records on Google servers.

Another problem is the human-hybrid spamming activity. For a 1$ per hour you may hire someone from a 3rd world country to solve your Captcha puzzles almost for free. There is no medicine against such virus.

Finally, OCR (Optical Character Recognition) and Pattern Recognition, Artificial Intelligence and Machine Learning Algorithms are continuously evolving. And no, not because of spamming activity, but because of Medical Research, Space Exploration, general society advancements etc. Those fields rely on highly automated systems that can mimic human pattern recognition capabilities and behavior and even surpass them in the future, which in return can lead to new breakthroughs in those fields.

Again, this is an infinite race against spammers and spam, just as the square checkbox symbolically morphs it’s shape into a circle in the noCaptcha reCaptcha.

Beyond Google Invisible Captcha

Eventually, all current captcha systems will become obsolete. As machines and artificial intelligence continues to develop and grow, getting smarter and capable of emulating humans (at least, online in digital realm), it will be harder to determine who is human, and who is a bot. Think about famous Alan Turing’s studies (e.g. 1950. paper “Computing Machinery and Intelligence“) or Blade Runner and Ex Machina, if you are more into Hollywood Sci-Fi.

One way to solve it would be through some ‘human certification’ procedures. How will that look, without compromising individual’s privacy we can’t really imagine nor explain right now.

However, when it comes to spam posts and messages (at least), analyzing content will be the only solution that can keep your assets & business clean. In that regard, artificial intelligence and machine learning can be of a great help, but keep that cat & mouse analogy in mind, as other side can will (ab)use it, as well.