reCAPTCHA v2 vs. reCAPTCHA v3: does reCAPTCHAv3 really prevent bots while making it easier on us regular humans? Well, it depends. There are pros and cons to both reCAPTCHA v2 and reCAPTCHA v3. CAPTCHAs are a Google test meant to discern between actual human users and bots. A common misconception is that reCAPTCHA v3 is just a newer version of reCAPTCHA v2, which in actuality they are very different. Which CAPTCHA might be right for your site depends on a few factors.
First, let’s define the term CAPTCHA. reCAPTCHA is a security service by Google that stops bots and other automated attacks. It is basically a test to tell computers if you are a human. Basically, you use reCAPTCHA to prove to Google that you are actually a human. Google is trying to fight bots and malicious attacks against websites. The goal of reCAPTCHA is to protect websites from bot attacks, like credential stuffing attacks, that can dramatically hurt your website.
Is reCAPTCHA Free?
Though reCAPTCHA is often touted as a free Google service, it is actually only free for accounts that generate fewer than one million API calls per month. If you are a heavier reCAPTCHA user, Google charges a fee. If your account generates more than 1,000 calls per second, or one million cars per month, you must sign up for a reCAPTCHA enterprise account.For example, for up to ten million calls per month, Google charges $1 per 1,000 calls. And if you get more than ten million calls per month, custom fees apply. But if your website is smaller, yes, reCAPTCHA is a free service.
Many websites you utilize still use reCAPTCHA v2, which was launched back in 2014. If a website user seems suspicious, reCAPTCHA v2 will have the user prove they are human. Sometimes, all you need to do to prove your humanity is simply check a box that says “I’m not a robot.” Or, reCAPTCHA might ask you to complete an image or audio recognition task. For example, you might have to “select all images with boats.”reCAPTCHA v2 uses an “advanced risk analysis system,” which uses Google cookies. If you typically use Chrome to browse the web, you probably will only have to tick the box. However, if you use Firefox and don’t typically accept cookies, you are more likely to receive an image recognition test (and it might be pretty difficult!)More and more, people are worried about their privacy online, and are using private browsers like DuckDuckGo instead of Google. reCAPTCHA 2 will give these users more difficult challenges, which could give them a poor user experience and lower conversion rates for websites.Plus, due to the popularity and longtime use of reCAPTCHA 2, hackers have developed automated solutions to skip even the hardest reCAPTCHA 2 challenges. In fact, some bots even utilize artificial intelligence (AI) to solve reCAPTCHA’s challenges. It’s pretty ironic: Google uses reCAPTCHAS to train their AI models, and then hackers use those AI advances to beat reCAPTCHAs.Another way cybercriminals get around reCAPTCHA challenges is by using CAPTCHA farms. They basically outsource reCAPTCHA solving to workers in other countries.
In light of some of the downsides of reCAPTCHA v2, Google developed reCAPTCHA v3 in order to provide a better user experience and catch the more sophisticated bots. reCAPTCHA v3 is more transparent for website visitors. In fact it works in the background. Google hasn’t told us much about how it works. But, there are no tricky challenges or puzzles to solve. Instead, reCAPTCHA v3 simply monitors the user’s behavior continuously to decide if it is a real live human or a bot.For each request the visitor makes on the website, reCAPTCHA v3 returns a score between 0 and 1. The score depends on how likely it is that the request came from a bot or a human. A score close to 0 means that you are probably a bot, and closer to 1 means that you are probably a human.The website admins can define certain actions to help increase the accuracy of the scoring system and to help reCAPTCHA understand what is and isn’t normal user behavior, depending on the context.But, there is a catch! Though reCAPTCHA v3 is a better user experience for website visitors, who don’t have their browsing time delayed by a set of challenges, it does present new issues for website admins.reCAPTCHA v2 was simply for website admins, because the only required action was to determine whether the user completed the challenge accurately or not. However, with reCAPTCHA v3, now the website administrator needs to determine which action to take based on the numerical score. It is a much more difficult task, even for experienced webmasters.
How to Map reCAPTCHA v3 User Scores to Actions
Each website administrator can choose the threshold based on the score. For example, you can choose to block users whose score falls underneath 0.25. Or, you can serve them a reCAPTCHA v2 first. The pro of this system is that you get to decide. The con is that there is no exact right answer. If you make your thresholds extremely strict, there is a chance that you will block actual legitimate users. However, the opposite is also true. If your thresholds are pretty low, you will let plenty of bots access your site.There are three possible responses to each action a user makes on your website:
- Give the user access
- Ask the user to solve a reCAPTCHA v2
- Block the user
reCAPTCHA v2 vs v3
In order to protect your site, you might want to consider using reCAPTCHA 2 or reCAPTCHA 3. There are pros and cons to both reCAPTCHA v2 and reCAPTCHA v3. While it is possible that having to stop and complete a challenge with reCAPTCHA v2 might bother some of your users, reCAPTCHA v3 requires your web administrator to do quite a bit of extra work. It comes down to which is the better choice for your site.
- What is reCAPTCHA?
- Is it free to use Google reCAPTCHA?
- What is a CAPTCHA farm?
- How does reCAPTCHA v3 work?
- Can reCAPTCHA be bypassed?