"The 2 squiggly word captcha that you know and hate will die by 3/31/2018."
The Web is dark and full of bots, and there is one undisputed leader in defending against them. You probably use reCAPTCHA every day but you don't even know it! Aaron Malenfant is the lead software engineer for reCAPTCHA and he explained its past, present, and future at GDG DevFest NYC. reCAPTCHA is secretive by its very nature, so it is a rare look into how this essential piece of web technology works.
Part 1: High level details
What I Learned
You can sign up for reCAPTCHA at https://www.google.com/recaptcha and learn more with the CodeLab here.
Volume
ReCAPTCHA
- 2 million weekly active sites
- 1 billion CAPTCHA solutions a week
- Nocaptcha saves millions of hours a day
Difficulty levels
The reCAPTCHA Machine learning engine categorizes incoming requests on a spectrum of difficulty levels from "just a checkbox" to "select all images with cars" (image classification) to "select all squares with vehicles" (image localization) to "ok you're definitely a bot".
Integrating into -your- site
Head to https://www.google.com/recaptcha/admin#list and answer a few simple questions!
You will have a few options:
- Visible: Script tag and a div
- Invisible: script tag and a button with a callback
- Invisible: script tag with a div to have control when you execute
Yes, there is such a thing as Invisible reCAPTCHA! more below. Also look up more docs at the DevGuide.
Don't forget to integrate with serverside
- make HTTP POST to with POST params of
secret
andresponse
you get from reCAPTCHA
Part 2: Past, present and future
RIP 2 word Captcha (reCAPTCHA v1)
The 2 word captcha that you know and hate will die by 3/31/2018. (Source and on the FAQ)
AI has advanced to the point that it can solve the hardest CAPTCHAs at 99.8% accuracy, but humans can only solve them 33% of the time. So it is time to put it to bed.
reCAPTCHA v2
the "i am a human" checkbox you've clicked dozens of times - this is actually called the "NoCAPTCHA" - for more details, see implementation options in Part 1 above.
Invisible reCAPTCHA - launched on 3/8/2017
For low risk traffic, no user interaction is required at all to detect if you are a bot!
reCAPTCHA Android API
Included as part of Google Play Services SafetyNet - again, no user interaction required to verify you are human.
Future of reCAPTCHA (v3)
v3 is in Closed Beta now:
- puts you in control of when we show a challenge
- integration siilar to V2 Invisible
- In admin console, get a view into the riskiness of your traffic
Signup for reCAPTCHA v3 beta announcements at http://g.co/recaptcha/v3!
Top comments (2)
Love this title 👏🏽
Just feel like mentioning: I actually prefer the weird word captcha over reCaptcha. Well, not always. Only when it sees my VPN and thinks I could be a bot. It sucks because it doesn't see context.
If it asks me to select images with signs and I select the sign's post, it doesn't work because it doesn't know if it's a sign without context. And even if I try my best to look at each image separately, it still throws me off most of the time. And then comes the one where you have to wait for the images to fade in. And each image takes forever. 5 seconds for a single image, and there are at least 16 of them. At this point I could have done 5 weird word captchas and gotten them correctly on the first try.