Scorpiones Group

The difference between reCAPTCHA v2 and v3

CAPTCHAs are a common test on the web and are designed to differentiate between actual users and bots.
Google introduced reCAPTCHA v3, hoping to reduce the number of challenges a user might see.
As bots that try to pass as actual humans become more sophisticated, Google has released new versions of its reCAPTCHA API.
The most recognized version of this test involves typing in distorted text, with more current forms asking users to identify objects in images.
The old reCAPTCHA system was pretty easy, just a simple "I'm not a robot" checkbox would get people through your sign-up page.

The new version is even simpler, and it doesn't use a challenge or checkbox. It works invisibly in the background, somehow, to identify bots from humans.
Google doesn't go into much detail on how it works,
only saying that the system uses "a combination of machine learning and advanced risk analysis that adapts to new and emerging threats."
With reCAPTCHA v3, Google is improving the experience even more, with the API returning a score between 0.0 and 1.0 that ranks “how suspicious an interaction is.”

Are you human? The goal is to minimize the “need to interrupt users with challenges at all.”
It scores traffic with its Adaptive Risk Analysis Engine instead of forcing human users to perform interactive challenges.
The score can be used three different ways:

  • Set a threshold that determines when a user is let through or when further verification needs to be done, i.e. two-factor authentication, launch reCAPTCHA v2 or phone verification.
  • Combine the score with your own signals that reCAPTCHA can’t access, such as user profiles or transaction histories.
  • Use the reCAPTCHA score as one of the signals to train your machine learning model to fight abuse.
v3 give site owners more options to customize the thresholds and actions for different types of traffic.
There are different types of reCAPTCHA to choose from when creating a new site.
The differences between them are detailed here:

reCAPTCHA v2 (Invisible reCAPTCHA badge) The invisible reCAPTCHA badge does not require the user to click on a checkbox,
instead it is invoked directly when the user clicks on an existing button on your site or can be invoked via a JavaScript API call.
The integration requires a JavaScript callback when reCAPTCHA verification is complete.
By default only the most suspicious traffic will be prompted to solve a captcha.
To alter this behavior edit your site security preference under advanced settings.
reCAPTCHA v2 ("I'm not a robot" Checkbox) The "I'm not a robot" Checkbox requires the user to click a checkbox indicating the user is not a robot.
This will either pass the user immediately (with No CAPTCHA) or challenge them to validate whether or not they are human.
This is the simplest option to integrate with and only requires two lines of HTML to render the checkbox.
reCAPTCHA v3 reCAPTCHA v3 allows you to verify if an interaction is legitimate without any user interaction.
It is a pure JavaScript API returning a score, giving you the ability to take action in the context of your site:
for instance requiring additional factors of authentication, sending a post to moderation, or throttling bots that may be scraping content.
In conclusion,
reCAPTCHA v3 will not make v2 obsolete.
Invisible v2 and v3 work very differently - v3 may not be suitable for all sites.
V3 has some downsides, which will mean v2 will continue to be used for a long time.
Just as Google's efforts to fight bots and malicious actions against websites and apps, so does Scorpiones,
our team have developed a way to test your mobile or web application for penetrations and weak spots.
If you wish to protect your website or you want to make sure your organization is well protected, contact us now and we will be happy to test your system.

Tags: Red Team Web Application Penetration Testing Google reCAPTCHA

Contact Us