Bot Detection

reCAPTCHA v2 vs v3: Which is Better for Bot Protection

November, 10, 202214 min Read

ReCAPTCHA v2 vs. v3: Which is Better for Bot Protection?

Malicious bots result in the theft of billions of dollars every year. As attacks—and the fraudsters making them—become more sophisticated, it’s critical that companies act to protect their security, and their bottom line, by putting defenses in place.  

Businesses today must fight bots in real-time, and a common way to do this is by relying on in-session user challenges, like CAPTCHAs, to distinguish between basic bots and good users. 

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and it is designed to prevent bots from disseminating spam, registering fake new accounts and hacking into genuine user accounts.

Chances are good that you’ve already come across reCAPTCHA, but what is the difference between the different versions? Is reCAPTCHA v2 or v3 better at defending against malicious bots? Read on to learn more about the difference between reCAPTCHA v2 vs v3, and the limitations of each.

What is reCAPTCHA?

Like other CAPTCHA services, Google’s reCAPTCHA is designed to prevent fraud attacks on websites, while allowing genuine users to use the digital platform without issue. According to Google, reCAPTCHA actively protects data for a network of five million sites. 

Is reCAPTCHA free?

reCAPTCHA is free, which makes it a popular pick for website owners who know they should do something to help keep fraudsters out, but who are not ready to start spending money on a solution just yet.  

But there are some limits to how—and how much—a business can use reCAPTCHA without any charges. Google’s comparison of features between reCAPTCHA versions indicates that reCAPTCHA offers one million assessments per month for free.

What is reCAPTCHA v2?

Have you seen a checkbox that requires you to complete an action at the end of a form, with the text “I am not a robot”? If so, you’ve seen reCAPTCHA v2. On some occasions, that box is the end of the CAPTCHA challenge, and you’ll be moving on with your transaction in no time. But on a few occasions, you may be asked to complete another task to demonstrate that you are a genuine user, rather than a bot.  

reCAPTCHA v2: Frustrating for Users

Gartner advises using the least annoying CAPTCHAs possible. The point of reCAPTCHA v2 is to check if the user is a human. But since its launch in 2014, it hasn’t always been popular with those genuine users. If you’ve sometimes been irritated by the requests to prove you’re a real person when you sign into a website, and you feel that it is getting more difficult and cumbersome, you’re not alone. 

Sometimes, the well-known “I am not a robot” checkbox might be followed by a grid of images, with an instruction to select all the pictures meeting certain criteria. It can be a frustrating process, because it creates friction for legitimate users.

Creating harder-to-solve CAPTCHAs can help to keep bots out. Unfortunately, it can sometimes keep good users out too. It is increasingly difficult to create CAPTCHAs that are easy for humans in all locations with varied cultural experiences, yet uniformly difficult for all machines.

CAPTCHA Click Farms

Even when CAPTCHAs can keep bots out and let humans in, what if some of the humans they let in are bad actors? CAPTCHA click farms threaten the effectiveness of solutions such as Google’s reCAPTCHA v2. 

A CAPTCHA click farm is a collection of human workers tasked with solving CAPTCHAs, often located in parts of the world where labor is inexpensive. This tactic means that fraudsters might still be able to gain access to a website or user accounts, even if the bot cannot do it alone. 

Diagram showing the progression from a lone fraudster to a click farm

The fact is, any time a bot fails, bad actors have a Plan B. And if your business has something a fraudster wants, then they might be considering using a CAPTCHA click farm to do so.

What is reCAPTCHA v3?

Image showing the reCAPTCHA v3 logoIf you’re comparing reCAPTCHA v3 vs v2, and you’re worried about frustrating genuine users, reCAPTCHA v3 may seem promising at first, because reCAPTCHA v3 works in the background. 

As a user, you may be completely unaware that you’ve encountered it. When you interact with a webpage deploying reCAPTCHA v3, a score is returned to the website owner based on that interaction. If you have a score of 1.0, you’re deemed to be a human. If your score is 0.0, there’s a strong chance that you’re actually a bot. 

How Does Google reCAPTCHA v3 Work?

reCAPTCHA v3 allows websites to set their own score thresholds with regard to what they consider to be a bot. If a website visitor doesn’t meet the threshold, the website can either block the visitor from continuing, or try performing another check on the user. 

reCAPTCHA v3 is billed as a frictionless user experience that represents a fundamental change in the way that Google allows sites to test whether a user is human. Using “adaptive risk analysis” in the background, reCAPTCHA v3 can, according to Google, alert companies of concerning traffic whilst humans enjoy an experience without friction and frustration.

Mapping reCAPTCHA v3 User Scores

reCAPTCHA v3 works by returning a score to the owner of a website about each user, telling them how suspicious an interaction is. Google suggests that reCAPTCHA v3 should be added to multiple website pages for the best results, so users can get more out of the admin console, where they can view score distribution and a breakdown for the stats of the top 10 actions on their website. 

Businesses using reCAPTCHA v3 can choose how to interpret these scores. According to Google, there are three ways that the score could be used:

  1. The website owner can determine a threshold which dictates when the user can be let through, and what additional verification should be performed. An example of extra verification could involve a verification by phone.
  2.  The business could look at the score alongside signals that Google reCAPTCHA does not have access to, such as user profile and use history.
  3. The company can use the reCAPTCHA score as part of a basis for creating or updating a machine learning model which is designed to fight abuse.

How to Interpret Risk Level

Google claims that reCAPTCHA v3 is for site owners who want more data about their traffic. A dashboard allows a site admin to look at the distribution of users' scores, and there is some guidance on how to interpret an assessment, so that reCAPTCHA v3 users can work towards a better understanding of the risks posed by their visitors. 

But it could be difficult for some organizations to use this data to form a detailed understanding of which users are getting through—and whether they are the right users. One drawback of reCAPTCHA is that there is no feedback loop on risk scores and user activities to teach the models to make better decisions, and there’s no dedicated managed service team to provide help when it is required. 

The reCAPTCHA v3 dashboard displays a distribution of user scores, but it probably won’t be enough to help you determine whether you’ve designed your risk tolerances in the best way in the first place. You will have to estimate the right user score thresholds, which might mean that these are not entirely suited to your company’s needs and risk appetite.

Behavioral Data 

reCAPTCHA v3 examines the behavior of users to assess whether they are legitimate. In general, using behavioral data is a good idea, but it is difficult to tell intelligent bots from humans. A rich data set is needed, which means that a bad user might not be identified until he has already interacted with many pages of your website.

So, although reCAPTCHA v3 might make life easier for users, it also has limitations that could allow bots to access your website and user data.

reCAPTCHA and Privacy

If you’re still comparing reCAPTCHA v2 vs v3, and you’re wondering what the behavioral analysis that Google’s reCAPTCHA v3 performs means for your privacy online, you’re asking a good question. 

According to security researchers, Google assesses whether a user is malicious based on whether they have Google cookies installed on their browser. 

But what does it really mean if cookies are playing a part when it comes to reCAPTCHA assessments? It could give Google a good deal of insight into user behavior online, based on the websites and individual web pages that they visit, without the user necessarily being aware of this. 

And as you may have guessed by now, no reCAPTCHA version is GDPR compliant, as it uses cookies and personal data to calculate risk score. 

Can Bots Beat reCAPTCHA?

Unfortunately, bots can sometimes beat reCAPTCHA. The reality is that when it comes to distinguishing extremely high-risk traffic from extremely low-risk traffic, most real-time bot detection tools are up to the task. 

But the problem comes when these tools need to figure out what to do with traffic that falls in the middle. Unsurprisingly, bots are getting better at mimicking human behavior. 

In the cases where a challenge is presented to a user, such as the picture grid that is sometimes displayed following the “I am not a robot” checkbox in reCAPTCHA v2, it might initially seem that a machine wouldn’t be able to solve the puzzle. But fraudsters are mastering the development of more intelligent bots that use machine learning to identify the answers to puzzles, even in cases where it is commonly assumed that only humans can pass them. Image recognition software is improving every day, making it cheaper and easier for bad actors to build scripts that can sneak past CAPTCHA challenges.

Fraudsters have ways to pass CAPTCHA challenges at scale. For example:

  • They use automated breakers that use cookie creation and token harvesting. 
  • They use IP proxy services and run attacks in parallel to maximize the returns. 
  • They can maximize ROI by paying click farms and sweatshops at nominal costs, to pass the visual challenges at scale.
  • Advancements in machine vision technology are helping develop automated solvers that can break the visual challenges more easily.

reCAPTCHA v2 or v3: What to Choose

If you’re running a website for a very small new business, you may be tempted to use reCAPTCHA v2. It’s a good way to get started with keeping bots out of your website. However, any high-value access could become a target for fraud farms that are tasked with getting past the CAPTCHA challenges that some bots miss, and the manual process of passing the challenges could frustrate your valued clients.

If you’re looking to provide a friction-free, user experience, reCAPTCHA v3 may be a better choice than reCAPTCHA v2. It will let more of your valued customers through without challenging them. The downside? Sophisticated bots might well be able to bypass it.

In fact, there are serious downsides to any reCAPTCHA solution, including:

  • Damaged user experience, and lowered good-user throughput due to excess friction
  • Limited visibility to stop bots and click farms
  • Fake new accounts going undetected
  • Manual reviews that cause strain on the in-house team

For all of these reasons and more, a reCAPTCHA alternative should be considered. 

Arkose Labs: The reCAPTCHA Alternative that Stops Bots Permanently

Fortunately, Arkose Labs offers features that reCAPTCHA v2 and v3 don’t, like behavioral biometrics, device spoofing detection, fraud farm detections, and insights/real-time logging. The platform is superior to other CAPTCHA products because it evolves as attackers and bots evolve to provide a permanent solution to attacks with long-term deterrence, early detection, real-time attack response, and a vastly superior user experience.

Human or Bot? Arkose Labs Knows Best

Arkose Labs uses proprietary visual images that are rendered in real-time. They can’t be classified or recognized by even the most sophisticated machine vision software, meaning that we create high barriers to entry for fraudsters looking to circumvent challenges at scale.  

Persistent human attackers seek quick wins, and so our solution is designed to stop them in their tracks. The challenge-response mechanism incrementally increases the volume and complexity of the challenges. It means that fraudsters must spend more time and resources to clear challenges at scale. The ROI doesn’t add up, and so they abandon the attack.

Real-Time Feedback from Arkose Labs

A limitation of legacy captures is the lack of feedback and data access. Customers don’t have access to the data collected in their own environments, so can’t use it to help with downstream decisions.

 At Arkose Labs, our real-time logging is built to help. We provide detailed logs of user activity and full transparency to the 59 data attributes that are used in risk analysis. This means that you’ll have actionable insights, positioning you for success by allowing you to facilitate immediate adaption to changing attack patterns.

In addition to providing real-time feedback, we’re true partners for our clients. You’ll have access to a dedicated technical account manager, and a hands-on 24/7 Security Operations Center staffed by a team of experts.  

Advanced Bots? No Problem for Arkose Labs

Not all threats to your business come from basic bots, and when attacks are more sophisticated, many legacy CAPTCHA solutions fail. Our context-based enforcement challenges utilize the most up-to-date machine vision innovations to undermine the profitability of the attacks.

Arkose Labs also provides a challenge aimed directly at fraud farms. By requiring the humans working within fraud farms to solve time-consuming 3D challenges, the attacker’s ROI is destroyed. 

Conclusion

There’s no silver bullet for stopping fraud. At Arkose Labs, we know that new threats are always around the corner, and we work that into our strategy. The depth and breadth of our challenge roster ensures that it is expensive and time-consuming to create automated solvers. When there are suspicious spikes in activity, challenge types are swapped out, putting the attackers back to square one. Attackers are more likely to give up when they encounter this type of challenge, and move on to another business using challenges that are easily beaten. 

Arkose Labs provides a targeted attack response, which is tailored to an exact risk profile. We continually research and develop new challenges to ensure we stay one step ahead of attackers, while dramatically improving good user throughput. Plus, our Security Operations Center constantly monitors activity.

We’d love to show you what Arkose Labs can do. Register for a demo to learn about how Arkose Labs can help you with the unique challenges that you face in your business.