Are we human? Or are we reCAPTCHA?

"The 2 squiggly word captcha that you know and hate will die by 3/31/2018."

The Web is dark and full of bots, and there is one undisputed leader in defending against them. You probably use reCAPTCHA every day but you don't even know it! Aaron Malenfant is the lead software engineer for reCAPTCHA and he explained its past, present, and future at GDG DevFest NYC. reCAPTCHA is secretive by its very nature, so it is a rare look into how this essential piece of web technology works.

Part 1: High level details

What I Learned

You can sign up for reCAPTCHA at https://www.google.com/recaptcha and learn more with the CodeLab here.

Volume

ReCAPTCHA

  • 2 million weekly active sites
  • 1 billion CAPTCHA solutions a week
  • Nocaptcha saves millions of hours a day

Difficulty levels

The reCAPTCHA Machine learning engine categorizes incoming requests on a spectrum of difficulty levels from "just a checkbox" to "select all images with cars" (image classification) to "select all squares with vehicles" (image localization) to "ok you're definitely a bot".

Integrating into -your- site

Head to https://www.google.com/recaptcha/admin#list and answer a few simple questions!

You will have a few options:

  • Visible: Script tag and a div
  • Invisible: script tag and a button with a callback
  • Invisible: script tag with a div to have control when you execute

Yes, there is such a thing as Invisible reCAPTCHA! more below. Also look up more docs at the DevGuide.

Don't forget to integrate with serverside

  • make HTTP POST to <www.google.com/recaptcha/api/siteverify> with POST params of secret and response you get from reCAPTCHA

Part 2: Past, present and future

RIP 2 word Captcha (reCAPTCHA v1)

The 2 word captcha that you know and hate will die by 3/31/2018. (Source and on the FAQ)

AI has advanced to the point that it can solve the hardest CAPTCHAs at 99.8% accuracy, but humans can only solve them 33% of the time. So it is time to put it to bed.

reCAPTCHA v2

the "i am a human" checkbox you've clicked dozens of times - this is actually called the "NoCAPTCHA" - for more details, see implementation options in Part 1 above.

Invisible reCAPTCHA - launched on 3/8/2017

For low risk traffic, no user interaction is required at all to detect if you are a bot!

reCAPTCHA Android API

Included as part of Google Play Services SafetyNet - again, no user interaction required to verify you are human.

Future of reCAPTCHA (v3)

v3 is in Closed Beta now:

  • puts you in control of when we show a challenge
  • integration siilar to V2 Invisible
  • In admin console, get a view into the riskiness of your traffic

Signup for reCAPTCHA v3 beta announcements at http://g.co/recaptcha/v3!


Webmentions

Failed to load...