Captcha — an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart — is a series of challenge-response questions designed to prevent bots from bombarding web sign-up forms with spam, and Google’s freely available service — reCaptcha — displays as many as 100 million tests every day via its application programming interface (API).
Today, the Mountain View company introduced reCaptcha v3, a next-gen version of the platform that affords more flexibility to developers. Crucially, it does away with tests. With reCaptcha v3, web denizens won’t have to enter text, click a checkbox, or complete a puzzle — as long as they don’t trip any algorithmic alarms, that is.
ReCaptcha v3 launched in beta in May, but becomes broadly available this week.
“Over the last decade, reCAPTCHA has continuously evolved its technology,” Google product manager Wei Liu wrote in a blog post. “In short, reCAPTCHA v3 helps to protect your sites without user friction and gives you more power to decide what to do in risky situations.”
The new reCaptcha introduces Actions, a tag that can be used to trigger next steps and perform risk analysis “in context.” Unlike reCaptcha v2 and v1, which were designed to run in isolation on a single webpage, reCaptcha v3 takes into account signals across multiple pages as it attempts to identify potential attackers. From these analyses, a score (between 0 and 1) is generated and displayed in the reCaptcha administrator console, which also shows a breakdown for the stats of the top ten actions on a given site.
The aforementioned score can be used in several ways, Liu explains. For example, developers can set a threshold that determines when a user is prompted to undergo additional verification or use it to train an anti-spam machine learning model. Alternatively, it can be combined with proprietary data like transaction histories and user profiles.
“By providing you with these new ways to customize the actions that occur for different types of traffic, this new version lets you protect your site against bots and improve your user experience based on your website’s specific needs,” Liu wrote. “As always, we are working every day to stay ahead of attackers and keep the Internet easy and safe to use (except for bots).”
ReCaptcha has its origins in a team at Carnegie Mellon University, from which Google acquired the technology roughly a decade ago. In 2014, the search giant replaced the original reCaptcha system — which required users to read distorted text and type it into a box — with a simpler checkbox-based system that used clues such as cookies and mouse movements to suss out bots.
In June 2017, Google announced the reCaptcha Android API, a Captcha test optimized for touchscreen displays. And a month later in March 2017, it debuted “invisible reCaptchas” — Captchas that use advanced risk analysis algorithms to distinguish between human users and bots without requiring action automatically.
Google says it uses “advanced analysis techniques” that consider a user’s “entire engagement” with Captcha and “evaluate a broad range of cues” to determine whether a user is a human. Some security researchers over the years have raised concerns about its thoroughness, however.