Google no Captcha + INVISIBLE reCaptcha – First Experience Results Review

Article Updated: 2019 Mar 10

This article received multiple updates since it’s original publishing date back in 2015. It tries to keep sections in logical order as much as possible, but some sections may overlap. Use Table of Content listed below to quickly locate a desired section.

2015: GOOGLE noCAPTCHA reCAPTCHA

Google recently introduced a new Anti-Bot verification system called “No Captcha reCaptcha” that should answer two major issues with the old system. How does it perform? Read to find out.

Google no Captcha reCaptcha Anti-Bot Anti-Spam Protection Google noCaptcha reCaptcha Anti-Bot Anti-Spam Protection

Google no Captcha reCaptcha Anti-Bot Anti-Spam Protection

Google reCaptcha is part of the history. Or is it, really? Trouble with reCaptcha is the very fact that it may drive users to the extreme edge of sanity. Distorted text is too hard to read sometimes, and even if your eyesight and judgement is crystal sharp, you’ll at least once stumble onto the pattern that is ambiguous and impossible to 100% properly decipher.

Google no Captcha reCaptcha Anti-Bot Anti-Spam Protection Animation

Google no Captcha reCaptcha Anti-Bot Anti-Spam Protection Animation

But wait, this was not the main issue with reCaptcha protection. Artificial Intelligence and the age of the system gave enough time to the dark architects inside Matrix to analyze it, study it, decompose it and finally crack it. Today Google admits that AI can solve and bypass old reCaptcha v1.0 API with over 99% accuracy! So much is left of the term ‘anti-spam protection’.

Google no Captcha reCaptcha Second Layer Verification Protection

Google no Captcha reCaptcha Second Layer Verification Protection

And, is the new captcha a complete redesign or just a facelift front-end for the old reCaptcha system? After all, it still holds the reCaptcha brand and logo.

MEET THE NEW CAPTCHA: no CAPTCHA

With above issues in mind, Google engineers started their magical work in the Google Land working on a new system that will be more friendly to the end users (which are us – humans) and still hard to crack for the bot scripts (artificial intelligence a.k.a. computers).

no CAPTCHA reCAPTCHA API may look extremely simple and easy from front-end. However, behind it resides a high degree of sophistication and complexity involved in the back-end i.e. behind the simple checkbox. To ensure greater experience for end-users Google started working on a new top-secret project last year and developed an Advanced Risk Analysis backend for reCAPTCHA that thoroughly scans the entire engagement of the user with the CAPTCHA to determine whether the user is a human or a robot.

So, I’ve implemented the new API in one of my projects (advice: you need to regenerate new API keys at https://www.google.com/recaptcha/admin othervise if you use old keys, it will stop working and throw an error in your application’s log) and here are my first impressions:

The No Captcha system consist of two layers of protection:

1a) Single check box which users have to click onto with their pointing device (usually a mouse or touchpad)

1b) or in case of mobile devices with touchscreens alternative versions with selecting the proper image

Google no Captcha For Mobile Devices

Google no Captcha For Mobile Devices

2) If the first layer of protection is not passed or the results are ambiguous, the user is presented with a traditional two-words distorted text that has to be filled-in by typing the proper letters sequence.

Now, here comes my first doubt: The checkbox verification is not reliable at all in my own experience. The second layer of verification pops-up too frequently (as it cannot reliably determine that I am not a robot), which defeats the purpose of the simplification of the system in the first place.

Second doubt is about traditional second layer verification: if the standard text-based Captcha is broken by Google’s own claims, why is it part of the new Captcha protection at all? It is a little contradictory itself. I wonder why they do not replace traditional text input with at least image matching system?

GOOGLE reCAPTCHA ANALYTICS

New reCaptcha also offers spam traffic and passed/failed captchas charts, so that you can get overall insights into how heavy your website is/was hit, and how much of the traffic was filtered. Below results are just examples, during development of our protection scripts we simulated a lot of failed or incomplete captcha submissions.

reCaptcha Analytics - Relative Spam Index

reCaptcha Analytics – Relative Spam Index

 

reCaptcha Analytics - Requests Passed & Failed

reCaptcha Analytics – Requests Passed & Failed

Keep in mind that you will need at least several 100s of failed and completed captcha requests per day to pass the “minimum traffic” requirement to display any statistics in your captcha administration dashboard at all.


In case of a problem, for example, when your users pass the reCaptcha test, but your website or app fails to verify them, you will see the following notification above your analytics chart:

We detected that your site is verifying reCAPTCHA passed solutions less than 50% of the time. This could indicate a problem with your integration with reCAPTCHA. Please see our developer site for more information.

reCaptcha Analytics - Requests Passed & Failed Warning

reCaptcha Analytics – Requests Passed & Failed Warning

This happens if you have issues with response verification at later stage e.g. your own website fails to properly process returned response from Google, when reCaptcha response test actually pass. This can happen for various reasons. For example, when you use reCaptcha on your server as a top layer to verify users coming from dirty IPs known for spamming activities. In our case it was caused by small analytics script which was sending response to the server before captcha was fully processed on the server, causing our server to respond with premature 403 Access Forbidden status, and eventually blocking all such users from access, even when they passed the actual captcha test. We solved it by removing the offending js code, replacing it with our simple internal statistics tracking of failed and passed captchas, instead.

Our only regret is that Google (for the time being) does not send this important notification directly into the mail box of account used for reCaptcha registration, as we don’t actually hang out in reCaptcha Admin Dashboard every day. Otherwise, it would have raised the flag and brought the problem to our attention much earlier.

GOOGLE noCAPTCHA reCAPTCHA RESPONSIVE DESIGN

article update note: do not use this for INVISIBLE reCaptcha

Google noCaptcha reCaptcha is not officially responsive, yet. (Damn it, Google! Come on, you can do it!)

First option

You can use some CSS hacks to make it kind-of responsive. Inside your HTML page layout / form you should already have something like this:

<div class="g-recaptcha" data-sitekey="XXXXXXX" data-theme="light" data-size="normal"></div>

and inside your CSS you can put this style code:

.g-recaptcha>div>div{width:100% !important;max-width:302px;overflow:hidden;padding:0;border-top:1px solid #D3D3D3;border-right:1px solid #D3D3D3;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;-webkit-box-shadow:2px 0px 4px -1px rgba(0,0,0,.08);-moz-box-shadow:2px 0px 4px -1px rgba(0,0,0,.08);box-shadow:2px 0px 4px -1px rgba(0,0,0,.08);}

.g-recaptcha iframe{width:100%;height:100%;}

This will work fine for practically all modern browsers, and the only drawback with above is that the right-side of the captcha (where terms & logo appears) would be little cut-off, but not by much on 320px wide screens. Most importantly, it will not break your page responsiveness.

Second option

If you don’t mind the square-like appearance of the captcha box, you may use the compact mode like this:

<div class="g-recaptcha" data-sitekey="XXXXXXX" data-theme="light" data-size="compact"></div>

This will fit on any screen, even just 160px wide. Still, the bottom does not hold any important information besides logo etc. so you can go with first option, anyway.

Third option

We found an interesting solution using CSS3 transform here:

<style>
@media (max-width:360px) {
  #rc-imageselect, .g-recaptcha {
-webkit-transform:scale(0.7);
   -moz-transform:scale(0.7);
    -ms-transform:scale(0.7);
     -o-transform:scale(0.7);
        transform:scale(0.7);
-webkit-transform-origin:0 0;
   -moz-transform-origin:0 0;
    -ms-transform-origin:0 0;
     -o-transform-origin:0 0;
        transform-origin:0 0;
  }
}
</style>
Notes

You can experiment with scale factor (from 0.00 to 1.00) and scale down reCaptcha size to best fit your design. You can even scale it up, if you like, but that’s highly unlikely.

We also used max-width, instead of max-height like in original version, but you can experiment with that CSS rule, as well.

GOOGLE reCaptcha OPERA MINI ISSUES

Originally posted on January, 2015 – no longer true

You will always see the second layer verification if you use Google Chrome Incognito mode which does not permanently store Cookies, or, in case you have partial javascript browser like Opera Mini and ancient stock browsers on non-smart phones, you will be presented with copy/paste Captcha form and unique long random-characters strings (however, no matter how many times we tried, we could not make Opera Mini copy and paste that code – something needs to be fixed either at Captcha or Opera Mini side – or both).

UPDATE (April, 2015)

It seems that since our initial review, Google now finally started replacing 2nd layer reCaptcha verification with image/pattern match selectors. This is a great step forward! Also, on Opera Mini versions instead of long-random confusing strings copy/paste captcha that didn’t work at all in our case, a traditional reCaptcha is now being shown, but on older featured non-smart phones there is still one issue remaining: small images. We could not register at our test setup with older phone (like Sony-Ericsson W880), simply because the letters were too small and there is no zoom mode so we could clearly see the pattern. We finally gave up after 4 trials.

UPDATE (December, 2015)

Opera Mini issues in Extreme mode are still unresolved. NoScript noCaptcha compatibility continuously returns user to solve the new image captchas, and this loop seems infinite. This is a pity, because Opera Mini still holds some strong market share in selected regions.

Google reCaptcha noCaptcha - noscript support

Google reCaptcha noCaptcha – noscript support in Opera Mini (click to enlarge)

Opera Mini in portrait mode (tested with version 11 and 13 on Android in Extreme modes) does not load entire captcha image on 320×480 pixels screens (see above image). In landscape mode entire captcha is “properly” shown (albeit, with shifted coordinates of checkboxes), but the problem of solving it – still remains.

UPDATE (July, 2016)

Opera Mini (latest version 15 currently tested) is officially no longer supported by Google NO CAPTCHA! Instead of earlier “low-fi” captcha versions new message is now being displayed:

Google NoCaptcha reCaptcha Opera Mini v15 Support

Google NoCaptcha reCaptcha and Opera Mini (v15) Support

Please upgrade to a supported browser to get a reCAPTCHA challenge.

The only solutions left for Opera Mini and reCaptha are:

  1. to either bypass captcha for verified Opera Mini users (coming from Opera Mini proxy servers) or check User Agent string to detect them (can be challenging or not completely possible)
  2. or to instruct them to switch to High data savings mode (at least, temporarily)
  3. or use supported mobile browsers (Android Stock Browser 4.0+, Chrome, Firefox, Safari)

We assume that similar fate awaits other older browsers like abandoned Android Stock Browser, older Safari/iOS, Chrome and 3rd party browsers, as well.

2017: INVISIBLE reCAPTCHA

2017. update: Google introduced INVISIBLE reCAPTCHA (see live demo)! From what we’ve seen so far, it is just a top layer over the current noCaptcha v2.0 API, giving you the option to bind captcha directly to the form’s submit element, providing additional layer of comfort to the end user (reducing so-called User Experience / Interaction Friction) if it is not a bot.

Invisible Captchas, both as a concept and design solution, is not anything new or exclusive to Google. First ideas were hidden extra form fields, that were usually filled-up by dumb bots, but skipped by humans. However, with advancements in bot technology, those became quickly obsolete, as they learned to look into css rules at first, and later even execute javascript. Newer invisible captcha systems were deployed by independent developers, and now, idea was traveled it’s way up to the Google’s office.

Google INVISIBLE reCaptcha - Inline Badge Display

Google INVISIBLE reCaptcha – Inline Badge Display

Invisible Captcha, inherently, requires JavaScript-enabled browsers. It will not work without it, and some legit users (mind you, their % is shrinking by each and every day), will be cut off from engaging with your forms and website(s). This will also affect Opera Mini browsers, as it does not support real-time js execution/running.

Google finally rolled-out INVISIBLE captcha production version in March 2017, which is nothing revolutionary in terms of behind-the-scenes technology, but rather just a simple on-top implementation layer. Nothing is changed in the background on your server side and captcha’s response protocol.

For example, old noCaptcha was implemented as an additional input inside protected form, while now it is bind directly to the form’s submit button. The most complicated part in upgrading will be figuring out how to add a callback javascript code that’ll do the verification magic in the background, and few small changes to your form’s submit button.

Recommended Reading

Google Lighthouse And reCaptcha Artwork

Google Invisible reCaptcha – How To Boost Lighthouse Performance Score?

GOOGLE INVISIBLE reCAPTCHA RESPONSIVE DESIGN

Well, Invisible reCaptcha does not generally need any responsive tweaks in most cases. Simply, because there is no longer checkbox that users actually have to click. Second reason is that even if you use inline badge display option, it’s only 256 pixels wide, which will fit perfectly on any modern mobile device screen.

However, if you wish to hide (effectively disable) horizontal scroll in case of very narrow screens, you can simply set inside your CSS file this (notice the different class selector for invisible captcha):

.inv-recaptcha-holder{overflow:hidden;}

CAN YOU HIDE INVISIBLE reCAPTCHA BADGE?

reCaptcha v2.0 API Badge

Unfortunately, INVISIBLE captcha v2.0 is not exactly invisible. Do we really need reCaptcha Badge? As per Google’s requirements, Privacy & Policy badge must be included on every page that is protected by this system. If you dreamed about completely invisible spam protection, well… you’ll have to keep dreaming. Given the fact that GDPR rolled-out recently in EU, it will probably never happen! Until Google lowers this requirement, and say, you can simply place captcha privacy policy and terms somewhere below in the footer of the page, or just mention them in the existing PP & Terms pages of your app or website, you’ll have to live with the compromise and either show it inline, or as a fixed positioned element on the bottom left or bottom right.

In inline mode you can style it with custom CSS rules, which means that you will probably try to apply:

.grecaptcha-badge{display:none!important;}

style to completely hide it. Not! This will break captcha challenge, and your form will be instantly submitted without proper captcha response from Google.

Better alternative is to hide it with visibility, but it will leave an empty space (using relative or absolute positioning, zero width and height could solve this):

.grecaptcha-badge{visibility:hidden;}

Another problem that we’ve noticed is if you use multiple captchas on page (say, you have more than one form), bottomright/bottomleft badges will be multiplied and stacked one over another. When you hover over one, the second one will still be behind it, semi-transparent. Not very nice.

Bottom line, learn to live with it.

reCaptcha v3.0 API Badge

Google now officially allows hiding the reCaptcha badge IF AND ONLY IF you post this text below the submit/sign-in/registration/comment/etc. form – more information here.

INVISIBLE reCAPTCHA CONCLUSION (2017)

Note: this conclusion was originally written back in 2017 for Invisible reCaptcha v2.0

All other talks aside, strictly speaking from our own experience, reCaptcha does seem to be working great 99.9% of the time. After Google’s initial implementation and several upgrades to the existing system (removing old text-based 2nd layer verification, upgrading to image/pattern recognition technique, introduction of time-limit, introduction of continuous/”infinite” captcha verification mode), reCaptcha evolved to a really robust platform for the time being.

Not to be underestimated either, Google owns several prominent platforms (Android, Chrome, Chromium OS), where real, human users are usually already signed-up/signed-in, and their tracking greatly simplifies the process of reliable spam prevention and human/bot verification.

With constantly analyzing human behavior, mouse movements, typing speed or whatever “magic” they have incorporated into NO CAPTCHA technology, Google apparently already collected enough sample data to perfectly fine-tune their latest invention.

2018: INVISIBLE reCAPTCHA 3.0: Truly Invisible!

2018. update: After relatively brief public beta testing period, Google officially announced INVISIBLE reCaptcha API version 3.0 (v3) which introduced AI/ML probability scores [1] [2], hostname, timestamp and actions validations. It is relatively easy to upgrade your existing v2 reCaptcha implementations (if you used standard/basic implementation in v2.0), adding additional security layers and lowering the chance of bots passing through, with greatly reduced user friction.

Google reCaptcha v3.0 API Score Distribution Chart Example

Google reCaptcha v3.0 API Score Distribution Chart Example

Apparently, Google feels confident enough with the vast amount of data gathered from previous reCaptcha iterations to remove currently annoying image recognition verification and instead offer a direct score which evaluates visitor as a human or a bot. However, reCaptcha v3.0 is not going to replace v2.0 anytime soon (according to Google), so don’t worry if you still use older API.

You might be asking why Google suddenly moves away from image verification algorithm? Isn’t it the ultimate test for bots that cannot pass and break this system? Actually, no! Computer Vision / AI (Artificial Intelligence) algorithms are now getting so advanced, that they can even recognize tiny objects in the image our grandma couldn’t without magnifying glass! Take a look at this TensorFlow example. Of course, they are still far from being efficient in terms of computer resources and speed, but that day isn’t far far away as you might think.

Keep in mind that version 3.0 would not be possible without version 2.0 co-existence in our opinion, since it is still the golden benchmark of human interaction (despite possible vulnerabilities – read further below) which “feeds” the newer version with high-confidence data.

How Invisible reCaptcha v3.0 Works?

reCaptcha v3.0 does not show anything to the users! There is no challenge to select specified objects on images like it does in older APIs. Instead, it returns probability scores between 0.0 (100% bot) and 1.0 (100% human) from all actions on your website, and it is up to you / administrator to decide if it comes from a bot. How? By manually setting the probability score threshold in your configuration, since every website is a bit different and if your website is under heavy attack, you / admin can temporarily raise the value — for example — to 0.7 or 0.9 in extreme cases.

There is a raised issue of user & assets privacy, because new reCaptcha requires to be implemented site-wide (for example: on homepage, search, product/article page, login/registration page and so on) in order to be able to closely monitor all relevant actions.

Google Invisible reCaptcha v3.0 Live Demo

See live demo here.

reCaptcha v3.0 Live Demo Testing Tips

If you visit above demo link from Google Chrome browser while you are logged-in with your Google Account (e.g. Gmail, YouTube, Google+ etc.), you will most likely receive a high score of 0.9 or so (which means you are not a bot! Hooray!).

However, if you open the above link in a fresh session of incognito or in-private browsing mode, you will receive a very low score of for example 0.1 or 0.3 (which means that Google thinks you could be a bot or risky user with no good intentions). And, if Google says that you are a bot, than there is nothing else to do in your life, accept that as a matter of fact and move on. Because, if Google says you are a bot — then, you are a bot! :)

Another very interesting point are mobile browser apps. What is really peculiar is that if you try above demo with Ghostery app (famous for privacy protection), we received score of 0.7 without being logged-in in any Google services. On the other hand, on the same phone with Google Chrome app in incognito mode, we received a score of 0.1! Now, demo page above is not representative (as disclaimer is stated at the very top of it) and should not be used to draw any definitive conclusions. Still, interesting.

Google Invisible reCaptcha v3.0 Issues

How to pass reCaptcha v3.0? As we mentioned in above live demo section, there is one important downside to this silent spam/bot test system: there is no false positive fallback and opportunity for actual humans to prove system wrong.

In case you receive a low score for whatever reason (e.g. you inherited an IP address that was heavily abused by spammers recently), there is nothing you can do on your end, unless you change the environment variables (e.g. internet network / IP address / public computer / different phone etc.). That is relatively easy if you are knowledgeable tech-oriented individual, but what about average Joe/Jane? It is not gonna be easy for them. User friction can become infinite for individual cases.

One great thing about reCaptcha 2.0 and image verification was the fact that humans can still receive a challenge and a chance to prove they are not bots. There is no such fallback at the moment in reCaptcha 3.0, e.g. if the system thinks you are a bot – then, you are a bot, no matter what!

One possible solution is that you login into your Gmail account (any other Google account is essentially tied to Gmail nowadays) and that may fix your problem. Another solution is to try to clear browser cache and set to accept 3rd party cookies and try again. Not exactly average user friendly, but still doable in a way.

It remains to be seen what will Google do about this problem.

Are There Any Good Google reCaptcha Alternatives?

In short: No, not really. Yes, there are hundreds of different captcha systems out there, but none of them are as advanced, user-friendly and simple as current reCaptcha. More over, Google now automatically hides reCaptcha form for users who are signed-in (logged-in) into their Google Account(s) and are verified non-spammers.

You may consider several different techniques, such as custom captcha plugins. They work on the same principle with distorted text and numbers as an old google captcha, but images (with text and/or numbers) are generated synthetically and custom level of distortion (ripple, twirl, noise) can be tweaked. Or, maybe you can try your luck with simple custom hidden input form fields, which are effective for a limited time only. Also, various math captcha plugins can be tried and so on. However, keep in mind that machine learning is so common nowadays, with several open-source libraries readily available, it is just a matter of time when these systems will be forever broken. All that’s required is that someone gets interested in your system, and it’ll be broken in a matter of days at best.

The effectiveness of these other systems is limited to how robust and complex they are, but also keep in mind user friendliness factor.

reCaptcha Vulnerabilities

reBreakCaptcha

Clever approach proposed by guys from East-Ee Security (python script GitHub repository here) used audio challenge response and Google’s very own speech recognition API to beat and effectively bypass reCaptcha API 2.0. For the time being this barely works, because reCaptcha challenge is a bit random and unpredictable, so completely automated solution still does not exist (at least, publicly).

Actually, beating captcha by audio is not a new idea. It was already done before, and also demonstrated last year by AppSec Labs. Problem for these kind of attacks is that they need large volume of requests (it is a mix of brute force attack and clever design, recognition is not always 100% accurate). Also, when Google detects increased number of requests, reCaptcha starts serving more complicated audio that cannot be easily recognized by speech API.

Similarly, reCaptcha v2.0 object recognition verification can be theoretically beaten with Google’s own Vision API, which can recognize objects in images and return them to the end-user (attacker in this case). Problem is, using this API is prohibitively expensive for massive attack campaigns, and similarly to speech recognition above, images are getting progressively difficult in case of brute-force detection (e.g. objects are harder to distinguish, random noise is added to images, recognition sequences become longer and so on).

But, this might be the key vulnerability of an entire system – beaten by it’s own weapon. It remains to be seen what will Google do about it.

Will reCaptcha Actually 100% Prevent SPAM?

Yes and No. We really dream about a spam-free world, hopefully it will become a reality one day. There are some serious arguments that no Captcha system does not bring anything BIG and just simplifies the front-end for the end user – effectively keeps a whitelist track of a good behaviour non-spam activity history from a user/device/account/IP address, which are recorded and stored inside Cookies, Sessions and private database records on Google servers.

Another problem is the human-hybrid spamming activity. For a 1$ per hour you may hire someone from a 3rd world country to solve your Captcha puzzles almost for free. There is no medicine against such virus.

Finally, OCR (Optical Character Recognition) and Pattern Recognition, Artificial Intelligence and Machine Learning Algorithms are continuously evolving. And no, not because of spamming activity, but because of Medical Research, Space Exploration, general society advancements etc. Those fields rely on highly automated systems that can mimic human pattern recognition capabilities and behavior and even surpass them in the future, which in return can lead to new breakthroughs in those fields.

Again, this is an infinite race against spammers and spam, just as the square checkbox symbolically morphs it’s shape into a circle in the noCaptcha reCaptcha.

Beyond Google Invisible Captcha

Eventually, all current captcha systems will become obsolete. As machines and artificial intelligence continues to develop and grow, getting smarter and capable of emulating humans (at least, online in digital realm), it will be harder to determine who is human, and who is a bot. Think about famous Alan Turing’s studies (e.g. 1950. paper “Computing Machinery and Intelligence“) or Blade Runner and Ex Machina, if you are more into Hollywood Sci-Fi.

One way to solve it would be through some ‘human certification’ procedures. How will that look, without compromising individual’s privacy we can’t really imagine nor explain right now.

However, when it comes to spam posts and messages (at least), analyzing content will be the only solution that can keep your assets & business clean. In that regard, artificial intelligence and machine learning can be of a great help, but keep that cat & mouse analogy in mind, as other side can will (ab)use it, as well.

Comments


  1. comments

    27 Comments

    Add Your Comment
  2. 1. George

    > As per Google’s requirements, Privacy & Policy badge must be included on every page that is protected by this system.

    I’m not able to find any info about this on the official documentation. Do you know where is it?

  3. 2. TehnoBlog (In reply to George)

    Hi George,

    No, there is no official information about it yet, link to the ToS is a general and abstract one, with no specifics, and we just concluded this from the little clues given “between the lines”:

    1) Captcha is truly invisible* for users signed-in into any Google’s service (Gmail, YouTube, G-plus, PlayStore…)

    update: well, after few days of intense development work in implementation of Invisible reCaptcha, it started to appear even if we are already signed-up into Google account. Guess, it became suspicious with so much requests and submissions, so it automatically raised protection, possibly thinking we are trying to brute-force captcha while we tested & debugged our code. In conclusion, it is fair to assume that captcha will be hidden for most logged-in users, but not everyone.

    2) If you omit the position of the badge in the API code, it will default to bottom right position. This alone is the strongest indicator – if Google really wanted it invisible for everyone, it would make it so this way already.

    3) As in our little experiment described above, setting display:none will render reCaptcha non functional.

    Finally, when user signs into G’s service(s), it automatically accepts Terms and Conditions, and that also covers reCaptcha. There are no discussions about the badge yet, but they will start to appear eventually.

    We already experienced issues with inline mode, depending on the scripts used for styling and unifying theme design, it may appear inside the button itself, or on the side to the right or left, completely “off”, so it needs adjustments in the html and css, to fix it.

    Not ideal situation at the moment.


    update (Dec 2018): Google now officially allows hiding the reCaptcha badge IF you use reCaptcha v3.0 API and IF you include a small text below the submit/sign-in/registration/comment/etc informing users about Google captcha, privacy & terms. More information here.

  4. 3. TehnoBlog (In reply to TehnoBlog)

    update (2018/XII): Google now allows hiding reCaptcha badge if you use reCaptcha v3.0 API version, but you must include a small text below submit form informing users about reCaptcha use and link to Google’s Terms and Privacy Policy pages, respectively. More information here.

  5. 4. Tania

    I am using Invisible reCaptcha for WordPress plugin on my clients sites and since I installed it never had any problem or spam comments or registrations.
    Hope this helps people with WordPress web sites
    https://wordpress.org/plugins/invisible-recaptcha/

    Tania

  6. 5. Peter

    What is the “succeed rate” (ie verification is passed at first step so the user doesn’t need to solve the actual captcha in the second step) difference between invisible and nocaptcha?
    Is it the same, or does the additional checkbox click makes a significant difference?

  7. 6. TehnoBlog (In reply to Peter)

    Hi, I cannot tell you anything about “succeed rate” between 2 versions, that data only Google has, because each day you may have different number of bots, so you can’t really draw conclusions by yourself. For most practical purposes you can assume they’re about the same, if not equal.

    From server/web side point of view re: spam I think it’s the same, remember nocaptcha is essentially same technology behind invisible captcha for the most part, frontend implementation and API version is the most prominent difference we know.

    From user side point of view, invisible captcha is much more convenient and, as mentioned in the updated article, false positives / second verification steps are greatly reduced.

  8. 7. Loki

    Hi,

    Thanks for the detailed infor

    I am looking to display the recatpcha badge after the submit button ..meaning i should see the submit button first and then the badge.

    Any possible solution on this?

  9. 8. TehnoBlog (In reply to Loki)

    Hi, thanks! About positioning, it can be easy or tricky, depending on your design. In general, you can try a simple CSS solution below (place it somewhere inside your .css file(s), near the bottom for example):

    div.inv-recaptcha-holder{position:absolute; margin-top:50px;}
    (adjust that 50px value to fit your design)

    However, you may experience various incompatibilities with above, particularly if you use frameworks such as bootstrap, for example.

    Another way is to use some JavaScript to move/clone captcha html section, better check StackOverflow or some other places for examples, it shouldn’t be too complicated.

    Finally, I would leave it as it is or if your design allows it (for e.g. if you do not have any critical elements at the bottom), you can use bottomright/bottomleft position for badge (I guess you already tested it).

  10. 9. Peter

    Thank you for your reply.
    But if both have the same “succeed rate”, why would someone use the nocaptcha, as this necessitates an additional click for the user/visitor ?

  11. 10. TehnoBlog (In reply to Peter)

    Exactly. There are potential issues with invisible captcha integration with some existing systems, for example, JavaScript input field validations, which must be executed/called before captcha on submit event. Other than this, there is absolutely no reason why you shouldn’t use it!

  12. 11. Prerna

    The application is switched to invisible recaptcha from v2 recaptcha, and application has keys for both on same gmail account.
    After go live for invisible recaptcha positive graph was not shown for v2 recaptcha before, but now couple of days back i see positive graph for v2 recaptcha (2 weeks after invisible recaptcha went live for the application).I wonder why v2 recaptcha is showing postive graph.
    I wonder why sometimes v2 recaptcha shows positive graph , even after switching to invisible recaptcha.

  13. 12. TehnoBlog (In reply to Prerna)

    Hi Prerna, I assume you are referring to reCaptcha Analytics (Relative Spam Index / Requests Passed & Failed)? I am not really sure, the only way to get to the bottom of this is if you post it on reCaptcha support forum and hope someone from Google replies to you. But, it may never happen.

    Alternatively, you can actually log captcha verification requests and response values by yourself, and get *real* captcha stats for your own websites/apps/domains. Now, how can you do it? Well, it all depends on your implementation, if you use WordPress CMS (for example), you most probably use some plugin for invisible captcha, so you will have to modify the plugin’s code and tap into the verification function itself. This way you can get number of submitted requests, as well as number of passed/failed count. For other CMS systems/implementations, idea is exactly the same, but it all depends how will you implement custom captcha analytics. So, you need to have some programming skills (PHP, JavaScript in case of WordPress and popular php-based CMSs, and some other languages in other cases).

    About your captcha admin dashboard at Google, I really don’t know the answer why it shows positive graph sometimes, and sometimes not. There is a minimum traffic threshold and it is indeed normal to see at least some statistics, if you pass the threshold.

    Remember, keys are different for reCaptcha v2.0 (so-called noCaptcha) and invisible captcha!

  14. 13. invisible captcha

    Hi,

    Recently configured invisible captcha for my application, did proxy as google is not supported in china geography. Now in continuously getting images for every login which is annoying me and my time to login.

    Can you please suggest on this, why im getting continuous image captchas for every login.

  15. 14. TehnoBlog (In reply to invisible captcha)

    Hi, I don’t know for sure, but I think it’s because you’re using proxy. Proxies and cloud servers are often used by hackers and spammers to hide their origin, and for the very same reason all incoming requests to Google API are suspicious.

  16. 15. invisible captcha

    Hi, Thanks for the prompt reply.
    Can you suggest any alternate way to use captcha in china region.
    Also please share me some inputs how to skip from continuous captcha images before successful login.

  17. 16. TehnoBlog (In reply to invisible captcha)

    Hi, thanks. I’m really sorry, but I don’t know about other ways or see any alternative. Maybe there’s a similar service offered by a local company not blocked with firewall?

  18. 17. Jacob

    Very useful, thanks for sharing.

  19. 18. Thomas

    This shit is being implemented on websites it should never be.
    It’s fine if you want to submit a comment, but ReCaptach when you are tracking your postal delivery items?
    Or to log into banking services?
    Give me a break, this shit kills the internet.
    SUCKS.

  20. 19. TehnoBlog (In reply to Thomas)

    New reCaptcha v3.0 does not have any verification. Essentially, you either pass as a human or a bot based on score you receive. I guess it will be great for user experience, all drawbacks aside.

  21. 20. Treii28

    We’ve been using the invisible recaptcha and it was blocking (mostly Russian) spam bots from registering on our website — until today. Suddenly they are flooding in again so presumably something was ‘discovered’ to break the google invisible recaptcha. As far as I know we are on the latest-greatest version 3.0 code.
    Someone suggested that you could change the defaults to increase the restrictiveness from ‘only the most suspicious sites’. Any idea how? Or other ideas to make sure these damn bots don’t start filling our user registrations with fake accounts spamming urls that no one would ever visit anyway? (these registrations don’t even make any sense. It strikes me as cover for other types of site snooping anyway)

  22. 21. TehnoBlog (In reply to Treii28)

    Hi, please visit reCaptcha Admin dashboard and check your spam index / score charts. Also, while you are there, click Advanced Settings (burried all the way down below your API keys and example codes) and make sure option Verify the origin of reCAPTCHA solutions is checked.

    Once you see the distribution of that data, you can increase human/bot score to a higher value in your reCaptcha response implementation code.

    If it still fails, I suggest you revert to version 2.0 API. In the same reCaptcha Admin dashboard as above, scroll all the way down below API keys and examples and click on Advanced Settings. Now, for reCaptcha 2.0 version you will have a slider there where you can set hardness of the captchas: from Easiest for users (some security features turned off) all the way to the Most secure (all security features turned on).

    Maybe Google still needs to tweak reCaptcha 3.0, as some users of CF7 plugin for WordPress also complained about a lot (more) spam traffic passing by ever since its author switched to latest version couple of months ago.

  23. 22. [some website] loser

    Just been browsing roommates wanted listings on [some website] at the public library in Google Chrome (version 66.0.3359.181 (Official Build) (64-bit) (cohort: Stable)) in Windows. After 22+ clicks of the the reply icon, I’m getting a pop-up error message “sorry, something went wrong” repeatedly. Looks like this IP address may have been banned. Was that the work of Invisible reCaptcha?

  24. 23. TehnoBlog (In reply to [some website] loser)

    There are many protections which use IP address blacklists and other methods to determine ‘dirty networks’, suspicious user behavior etc. and they operate on the server-side, thus, there is no way to know for sure which type of protection they use. Also, your Chrome version is a bit outdated (particularly, because Chrome uses auto-update by default and cannot be turned-off by ordinary users), many 3rd party protection scripts detect obsolete browsers as potential vulnerability vectors, and actively or passively prohibit their access. Of course, that field alone is not reliable security method at all (because it can be faked by clients), but it can be a signal that something is not right for that particular client.

    After clicking on Show Contact Info reCaptcha was loaded using Ajax, so they do use it after all, just not right away (this is the reason why the code is not directly visible in the source, there is only a call to a JavaScript function that is executed once the user clicks on a button).

  25. 24. Jek

    How To Boost Lighthouse Performance Score reCaptcha v3 on the site?

  26. 25. TehnoBlog (In reply to Jek)

    reCaptcha v3 loads on every page everywhere in the background, and this method is not even an option in that case.

  27. 26. Captcha testing 123

    I have managed to send a spam message here despite the reCaptcha implementation on this webpage. I think the most important advantage of V2 visual challenge over V2 invisible or V3 is the annoyance factor. V2 invisible or V3 won’t stop a human spammer from just sending a bunch of messages to you. That’s a problem, because if you’re serious about customer support, you’ll have to read through such spam as well. Not to mention Blogs, which you’ll probably want to moderate anyway. The V2 visual challenge, on the other hand, will be annoying enough to deter repeated spamming by a random human spammers, which means less noise to go through.

    I see no benefit in using invisible reCaptcha V2 or V3 in any real world application because it’s not just bots that you want to filter out and you definitely don’t want to filter out potential customers.

  28. 27. TehnoBlog (In reply to Captcha testing 123)

    Thanks. Your spam message did not pass, simply because all comments here are human moderated.

    Yes, spam messages from humans can pass, as they naturally do, but other processing layers in the chain can help fight them. Machine learning, traditional keyword/phrase matching, public or private services with scores, known spamming IPs, and so on can help reduce their impact to a point.

    In addition, Google reCaptcha gets progressively more difficult when it detects brute force or frequent posting behavior. In another words, it is no longer ‘invisible’, or the returned spam score gets seriously downgraded.

Post A Comment

I have read and consent to Privacy Policy and Terms and Conditions