Basics of reCAPTCHA v3 — The new way to stop bots
Overview of Google reCAPTCHA v3.
Problem statement:
Example: We want to secure our EC website against the bots with minimum to no friction for human users.
Our use cases can include,
- Login page — Prevent credential stuffing attacks
- Product page — Prevent abusive comments and send risky comments to moderation
- Identify risky transactions and Put your real sales ahead of bots
One solution could be “reCAPTCHA” from google.
Let’s understand what is CAPTCHA?
CAPTCHA an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”. CAPTCHA is sometimes described as a reverse Turing test.
One of the earliest commercial uses of CAPTCHAs was in 2001, PayPal used such tests as part of a fraud prevention strategy in which they asked humans to “retype distorted text that programs have difficulty recognizing”. PayPal cofounder and CTO Max Levchin helped commercialize this early use.
What is reCAPTCHA?
reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA is a CAPTCHA-like system designed to establish that a computer user is human.
In this system, users are asked to click on a checkbox (the system will verify whether the user is a human or not, for example, with some clues such as already-known cookies or mouse movements within the frame) or, if it fails, select one or more images from a selection of set of images. In 2018, Google started beta testing a completely invisible reCAPTCHA system which does not present any human verification visually. Instead, the new system actively monitors user actions across the entire property and returns a score which represents the probability if it is a human or a bot.
Versions of reCAPTCHA:
We will be trying latest version — reCAPTCHA v3. For your information, reCAPTCHA v1 has been shut down since March 2018.
How reCAPTCHA flow works?
- “Sign up for the keys”. site key used in frontend and secret key is used in backend. For security purpose keep secret key safe.
- In frontend, We will use our site key to get token for our user. Each reCAPTCHA user response token is valid for two minutes, and can only be verified once to prevent replay attacks. If you need a new token, you can re-run the reCAPTCHA verification.
- from backend, Send token for verification.
API Request
URL: https://www.google.com/recaptcha/api/siteverify
METHOD: POST
PARAMETER: secret-key and token API Response
{
"success": true|false,
"score": number,
"action": string,
"challenge_ts": timestamp,
"hostname": string,
"error-codes": [...]
}
- Based on “score” action could be taken. Scores range from 0.0 to 1.0, with 0.0 indicating abusive traffic and 1.0 indicating good traffic.
We have secured our site from bots. reCAPTCHA protects you against spam and other types of automated abuse.
Google Admin Console — reCAPTCHA v3
Conclusion:
Unfortunately, as bots get more and more advanced, CAPTCHA methods will have to become more and more intrusive to establish that you are in fact human. Users will need to sacrifice more of their privacy in order to remain safe from spam and bots on the internet, and by the looks of things, it’s something we’ve got to accept.
Thanks for reading. 😄
