What is invisible reCAPTCHA? How to choose the right type of CAPTCHA

Invisible reCAPTCHA, no CAPTCHA reCAPTCHA, and reCAPTCHA—What are they and do you really need them?

What is reCAPTCHA? 

ReCAPTCHA is a type of CAPTCHA (“Completely Automated Public Turing Test to Tell Computers and Humans Apart”), a test that was originally developed in the late ’90s and later acquired by Google in 2009. Today, reCAPTCHA is Google’s brand of CAPTCHA tests.

The first iteration of reCAPTCHA (now called reCAPTCHA v1), is technically a simple human-assisted object character recognition (OCR) test in which users are shown a pair of words, one that could be understood by a computer program (i.e. a bot) using an OCR software: the control word, and the other word could only be identified by a human.

Thus, the reCAPTCHA v1 test assumes that if the user identifies the control word correctly, then the other should also be correct, and this is how the reCAPTCHA test determines whether a user is a legitimate human user. This CAPTCHA method, which might seem primitive today, was actually an impressive innovation in the late 90s-early 2000s, which is why Google purchased it.

ReCAPTCHA v1 continued to be popular throughout the 2010s. In 2012, it began using photographs taken from Google’s Street View and scanned words to increase its difficulty, before it was shut down in March 2018 to be replaced by newer versions of reCAPTCHA tests, including the invisible reCAPTCHA.

What is Invisible reCAPTCHA?

After reCAPTCHAv 1 was decommissioned in 2018, it was replaced by reCAPTCHA v2.

Invisible reCAPTCHA is technically a version of reCAPTCHA v2, which comes in three different versions. Here are the three different reCAPTCHA v2 versions:

1. ReCAPTCHA v2 for Android

As a part of Google Play services SafetyNet APIs, the reCAPTCHA v2 for Android is an API that you can use to protect Android apps from bot traffic.

The reCAPTCHA v2 API integrates directly into apps by setting up Google Play services and connecting to the GoogleApiClient. The reCAPTCHA API will pass low-risk users immediately without any CAPTCHA form to ensure user experience, and will challenge the user to validate whether they are a human user when needed.

2. The “I’m not a robot.” Checkbox

Probably the most familiar type of reCAPTCHA v2 for most people, the checkbox version of reCAPTCHA v2 requires the user to click the “I’m not a robot” box.

Since we are not presented with any CAPTCHA test (we only need to check the checkbox), Google often calls this version the “no CAPTCHA reCAPTCHA”.

Albeit seemingly very simple, Google actually uses various different technologies to determine whether the user clicking the checkbox is actually a human. Google analyzes the user’s behavior before, during, and after clicking the checkbox, which may include analyzing the user’s browsing history and mouse movement on the page.

If Google is unsure whether you are a legitimate human user, you will be presented with a test, including the infamous “Select all images with…” test.

3. The Invisible reCAPTCHA v2

Unlike the No CAPTCHA reCAPTCHA checkbox, the invisible reCAPTCHA is only a badge.

With this invisible reCAPTCHA badge, no user interaction is required at all. Similar to the “I’m not a robot” reCAPTCHA, Google also analyzes the user’s activity like typing patterns, mouse movements, and browsing history. The reCAPTCHA can be invoked directly when the user clicks on a native button on the page or via a JavaScript API call.

As before, if Google is not sure whether a user is a human, the user will be prompted to solve a CAPTCHA test.

Is Invisible reCAPTCHA a perfect solution?

No, reCAPTCHA v2, including the invisible reCAPTCHA, is not perfect.

Many users are too familiar with the feeling of having Google suddenly prompt them to solve an annoying reCAPTCHA v2 image test. The invisible reCAPTCHA works pretty well sometimes, but when it doesn’t, it can be a nightmare for the user experience.

Sophisticated bots have adopted the most recent AI technologies and are now pretty accurate in solving the reCAPTCHA v2 tests. It is actually quite ironic that Google uses the reCAPTCHA test to train its image and audio recognition AI, while in turn, hackers now use the same AI technology to beat the reCAPTCHA v2.

ReCAPTCHA also struggles to overcome CAPTCHA farms.

CAPTCHA Farm Services: Bane to Invisible reCAPTCHA

Another challenge to all traditional CAPTCHAs, including the invisible reCAPTCHA, is the existence of CAPTCHA farms all over the world. A CAPTCHA farm is essentially a business providing the services of human workers (typically in low-cost offshore countries) that will solve reCAPTCHAs.

Cybercriminals and hackers use CAPTCHA farms so that even less-sophisticated bots that can’t technically solve reCAPTCHAs can beat invisible reCAPTCHAs. When challenged by the invisible reCAPTCHA, hackers simply pass it to the CAPTCHA farm, the human workers of the CAPTCHA farm solve the challenge, and send the callback request containing the response token back to the cybercriminal.

The cybercriminal can then use the response token to pass the reCAPTCHA challenge and continue operating their malicious bots.

By outsourcing the reCAPTCHA solving to CAPTCHA farms, cybercriminals don’t really need a sophisticated bot that is expensive to make and operate to pass the reCAPTCHA, which will translate into more affordable cybercriminal activities. The fees they pay the CAPTCHA farms, by comparison, are very small—some farm services offer to solve 1,000 reCAPTCHA v2 challenges for $1.

Invisible CAPTCHA vs. reCAPTCHA v3

The issues associated with the reCAPTCHA v2 challenges, including the invisible CAPTCHA, led Google to develop reCAPTCHA V3—both to improve its efficacy and provide a better user experience.

ReCAPTCHA v3 is designed to be an improvement over the invisible reCAPTCHA v2 with a similar concept: It’s totally invisible to the website visitors and there are no challenges to solve. With reCAPTCHA v3, Google continuously monitors how a user interacts with a website to determine whether it’s a human user or a bot.

While the actual process is quite complex, in general, the reCAPTCHA v3 will monitor all requests made by the user on a particular website, and for each request, the reCAPTCHA will return a score between 0 and 1. The closer the user’s score is to 0, the more likely it’s a bot, and if the score is closer to 1, it’s determined to be a human user.

The interactions monitored and how the interactions are scored vary between different websites. The website administrator can define specific user actions and examples of normal human interactions on a specific page when implementing the reCAPTCHA v3 to help the tool understand the deviation of normal user interactions within the page.

ReCAPTCHA v3 is less harmful than v2 to the user experience for most users, since they aren’t required to complete any challenges.

However, reCAPTCHA v3 still is not perfect.

Why reCAPTCHA v3 is not the perfect solution:

While reCAPTCHA v3 is currently the best version of reCAPTCHA in terms of user experience, it is not a perfect solution. In fact, there are use cases where reCAPTCHA v2 and invisible reCAPTCHA are actually better.

There are three key issues to consider when implementing reCAPTCHA v3 on your website:

1. User action scoring for webmasters.

ReCAPTCHA v3 is more difficult to implement than invisible reCAPTCHA because the website administrator must define the score for each possible action in all potential requests. This can be a major, time-consuming hassle for web administrators.

For each possible action on the website, the webmaster must choose between three possible responses:

1. Pass the user as a legitimate human user and permit their requests.
2. Provide a reCAPTCHA v2 challenge to determine whether it’s a human when the score result is not definitive.
3. Block the user immediately.

For example, you can decide to hard block a user when the score falls below 0.2, and serve a CAPTCHA challenge when the score is between 0.5 and 0.6. Above 0.6, and the user can be provided access to the requested resources.

If there are many potential actions for the website, mapping scores to actions can be a very challenging process for web administrators, who must solve a very challenging conundrum: the stricter the score threshold, the more likely legitimate users will get blocked. The more relaxed the score threshold, the more like bots will get in.

2. Knowing whether you’ve set the right threshold.

Once you’ve installed reCAPTCHA v3, you’ll get reports for the distribution of user scores for each action on your website, but this is most likely not enough information to help understand whether you have set the right thresholds for each potential action.

For example, you may decide to give a lower score for people who submit a form too fast, but some people are actually fast typers and fast thinkers, so how fast is too fast for a human? Similarly, bots can deliberately slow down their operations to fool a threshold.

It’s essential to collect and analyze enough data from a wide range of users before it is possible to set the thresholds accurately. The process can be very expensive and difficult on its own.

3. Accuracy.

ReCAPTCHA v3 relies on analyzing a user’s behavior to predict whether the user is a human user or a bot. However, to do this accurately, reCAPTCHA v3 would require a large volume of user behavioral data to “teach” itself about normal human interactions on the website.

Before the reCAPTCHA v3 gathers enough data, it will rely on a basic client-side fingerprinting approach, and during this period, bots can bypass the detection of reCAPTCHA v3 relatively easily.

How to Choose the Right Type of reCAPTCHA

At the moment, there’s not a perfect reCAPTCHA.

V3 is technically the most secure reCAPTCHA version, but it’s also the most difficult to implement, and requires the right decisions from web administrators on how to score each user action. Invisible reCAPTCHA and reCAPTCHA v2 in general are much easier to implement, but not ideal for user experience, data privacy, or security.

Thus, as you explore reCAPTCHAs, consider also exploring reCAPTCHA alternatives.

Takeaway: ReCAPTCHAs vs. Bot Management Solution

While both the invisible reCAPTCHA v2 and reCAPTCHA v3 can help protect your site from bot traffic, they should not be your first line of defense, since the most sophisticated bots will bypass traditional CAPTCHAs.

If you really want to protect your site from malicious bot activity, DataDome’s bot and online fraud protection solution now integrates the first fully secure, privacy-compliant CAPTCHA. Using a variety of different signals alongside the CAPTCHA helps ensure your websites, mobile apps, and/or APIs are protected from malicious actors—without showing CAPTCHAs to your real users.