DEV Community

swyx
swyx

Posted on

Are we human? Or are we reCAPTCHA?

"The 2 squiggly word captcha that you know and hate will die by 3/31/2018."

The Web is dark and full of bots, and there is one undisputed leader in defending against them. You probably use reCAPTCHA every day but you don't even know it! Aaron Malenfant is the lead software engineer for reCAPTCHA and he explained its past, present, and future at GDG DevFest NYC. reCAPTCHA is secretive by its very nature, so it is a rare look into how this essential piece of web technology works.

Part 1: High level details

What I Learned

You can sign up for reCAPTCHA at https://www.google.com/recaptcha and learn more with the CodeLab here.

Volume

ReCAPTCHA

  • 2 million weekly active sites
  • 1 billion CAPTCHA solutions a week
  • Nocaptcha saves millions of hours a day

Difficulty levels

The reCAPTCHA Machine learning engine categorizes incoming requests on a spectrum of difficulty levels from "just a checkbox" to "select all images with cars" (image classification) to "select all squares with vehicles" (image localization) to "ok you're definitely a bot".

Integrating into -your- site

Head to https://www.google.com/recaptcha/admin#list and answer a few simple questions!

You will have a few options:

  • Visible: Script tag and a div
  • Invisible: script tag and a button with a callback
  • Invisible: script tag with a div to have control when you execute

Yes, there is such a thing as Invisible reCAPTCHA! more below. Also look up more docs at the DevGuide.

Don't forget to integrate with serverside

  • make HTTP POST to with POST params of secret and response you get from reCAPTCHA

Part 2: Past, present and future

RIP 2 word Captcha (reCAPTCHA v1)

The 2 word captcha that you know and hate will die by 3/31/2018. (Source and on the FAQ)

AI has advanced to the point that it can solve the hardest CAPTCHAs at 99.8% accuracy, but humans can only solve them 33% of the time. So it is time to put it to bed.

reCAPTCHA v2

the "i am a human" checkbox you've clicked dozens of times - this is actually called the "NoCAPTCHA" - for more details, see implementation options in Part 1 above.

Invisible reCAPTCHA - launched on 3/8/2017

For low risk traffic, no user interaction is required at all to detect if you are a bot!

reCAPTCHA Android API

Included as part of Google Play Services SafetyNet - again, no user interaction required to verify you are human.

Future of reCAPTCHA (v3)

v3 is in Closed Beta now:

  • puts you in control of when we show a challenge
  • integration siilar to V2 Invisible
  • In admin console, get a view into the riskiness of your traffic

Signup for reCAPTCHA v3 beta announcements at http://g.co/recaptcha/v3!

Top comments (2)

Collapse
 
peter profile image
Peter Kim Frank

Love this title πŸ‘πŸ½

Collapse
 
legolord208 profile image
jD91mZM2

Just feel like mentioning: I actually prefer the weird word captcha over reCaptcha. Well, not always. Only when it sees my VPN and thinks I could be a bot. It sucks because it doesn't see context.

If it asks me to select images with signs and I select the sign's post, it doesn't work because it doesn't know if it's a sign without context. And even if I try my best to look at each image separately, it still throws me off most of the time. And then comes the one where you have to wait for the images to fade in. And each image takes forever. 5 seconds for a single image, and there are at least 16 of them. At this point I could have done 5 weird word captchas and gotten them correctly on the first try.