SBN

Is reCAPTCHA Enterprise Worth it for Businesses?

For the last 15 years, Google has offered businesses its free reCAPTCHA tool as a way to stop bad bots from attacking their site and to try to determine if a user is human or not. The original reCAPTCHA asked users to translate scanned texts to try and identify that the user was a human and also, as an additional benefit for Google, in digitizing books and training their optical character recognition (OCR) software. 

They released a second version in 2014 which replaced translating old scanned text to being asked to identify a particular object in a range of different photos, such as crosswalks and lamp poles. Similar to the first version, Google benefited from this as the results were used to train their image recognition software. Ironically, it is this same improved image recognition software that can be used by bots to beat reCAPTCHA v2s challenges. 

Therefore last year, Google launched their latest version, reCAPTCHA v3 which also for the first time also has a commercial version, known as reCAPTCHA Enterprise. This is no longer free, but charges businesses after the first 1 million assessments per month. Has this new version of reCAPTCHA solved its previous issues and is it a suitable tool for digital businesses that are serious about stopping bad bots?

The Main Flaws of reCAPTCHA v2

Firstly, it is important to understand the problems with reCAPTCHA v2 that led to the development of a new version. The main complaints regarding reCAPTCHA v2 fall into the following categories:

  • Resilience to Advanced Bots
  • User Experience
  • Data Privacy

The question is whether Google has made enough improvements to resolve these complaints and is now a reliable option for a business that is now paying for the tool.    

Resilience to Advanced Bots

CAPTCHA stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’ and the biggest issue reCAPTCHA v2 has is that it no longer can tell computers and humans apart. Image recognition software has advanced so much, even helped by the use of reCAPTCHA, that it is very cheap and easy to build bots and scripts to pass these challenges. In 2016, utilizing Google’s own image recognition software, an American computer science professor managed to solve Google’s image CAPTCHAs with 70 percent accuracy. Google’s image recognition software has also been improving year on year as, in a rather counterintuitive move, the millions of users solving reCAPTCHA challenges are training the image recognition software that can then be used to defeat these challenges. This led to needing to have longer and repeated challenges, negatively impacting the user experience (which is discussed below) and which still did not actually defeat the bots. In 2022, it is both easy and inexpensive for attackers to buy bots from various marketplaces that easily solve reCAPTCHAs in seconds.

Does reCAPTCHA v3/Enterprise improve this situation?

Google reCAPTCHA Enterprise, rather than immediately relying on the image recognition challenges, performs a risk assessment to score the risk of the user from 0 to 1, allowing web administrators to decide what the actions should be, depending on the user’s risk score. For users that are allocated a higher score, admins have 4 different options of what they can do:

  1. Hard block the user
  2. Give the user access to the requested resource
  3. Ask the user to solve a reCAPTCHA v2 challenge to test if they are human
  4. Enforce multi-factor authentication

If the admin decides to employ reCAPTCHA to stop potentially bad traffic, then we are simply back at square one. That’s because they are still serving the same CAPTCHA that is so easily defeated by bots. The other options are not desirable, as they cause too much friction to good users who potentially get caught in their snare. 

User experience

Irritation at a reCAPTCHA v2 is a familiar feeling for anyone who has been caught in what can feel like a never-ending cycle of doom, incessantly clicking traffic lights while internally screaming “Yes I am a human!” Users that are forced to repeat the activity multiple times will often give up, leading to a loss of revenue for businesses.

Does reCAPTCHA v3/Enterprise improve the user experience?

Google’s main driver behind the changes made to reCAPTCHA Enterprise was related to the user experience challenges and they now claim to provide frictionless security, as a risk analysis is run in the background without users needing to solve a challenge. The problem now is left on the shoulders of the web administrators, who need to configure their websites to decide what the next steps should be depending on the different risk scores, as noted above. 

None of these options are particularly appealing for a user – unless they decide to just allow access, but this of course hugely compromises website security. Multi-factor authentication relies on the platform already having a user’s email address or phone number, so if this is the first time they are visiting the site it is not even possible to use multi-factor authentication. If it is possible, this choice can be very frustrating as it forces the user to navigate away from the site and undergo more effort to access the platform. For certain services such as banking, users will tolerate multi-factor authentication, but they do not expect to have to undergo it for every site they access. Additionally, multi-factor authentication can be very costly to businesses that are paying for each SMS that is sent with a code or investing in an app that can provide the second factor of authentication.

Therefore, in terms of ensuring security, many businesses may need to fall back to the challenges that reCAPTCHA v2 used, which still have their inherent user experience problems as well as security issues discussed above. 

Data Privacy

ReCaptcha v2 relies heavily on whether you have Google cookies in your browser to assess your likelihood of being a bot or not. Research from students at Toronto University in 2019 showed how reCaptcha scores were always a low risk when they visited a website when already logged into a Google account. This causes issues for all users in China, where Google products are banned, as well as anyone who is not comfortable using Google products and sharing their private data with a company that in 2020 made the majority of their $180b revenue from advertising.

Does reCAPTCHA v3 / Enterprise improve data security?

No. They are still utilizing Google cookies in their decision-making of risk score, therefore not solving this legitimate concern.

Is reCAPTCHA v3/Enterprise Worth it for Businesses?

It is true that there are some improvements for the user with ReCAPTCHA V3 and Enterprise, as they perform a risk assessment in the background so users should be irritated a little less often.  Unfortunately, the three key complaints related to reCAPTCHA V2 have not been fully resolved with the latest version and therefore ReCAPTCHA Enterprise is not an appropriate solution for a business that wants to keep its platform secure while not annoying its user base. To find out how Arkose Labs can help businesses truly stop bad bots without harming user experience, click here for a demo. 

*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Erkin Gunay. Read the original post at: https://www.arkoselabs.com/blog/is-recaptcha-enterprise-worth-it-for-businesses/