An Overview of Google reCAPTCHA and the Differences Between v2 and v3
If you’re no stranger to internet forms, you may have seen Google reCAPTCHA around before. It is commonly used in web forms to verify the authenticity of the user and assist in preventing bot activity. You may have seen it as a familiar checkbox or badge.
So how do they work?
Let’s start with reCAPTCHA v2
These are the two implementations of reCAPTCHA v2 for the web: checkbox and invisible. The checkbox reCAPTCHA v2 normally sits within a form and requires the user to check it before submission. The invisible reCAPTCHA v2, on the other hand, automatically does the check when the user does a certain interaction specified by the page (usually this will be attached to the submission of a form). On interaction with each of these implementations, reCAPTCHA will prompt the user with a challenge if it deems them suspicious. The challenge usually looks something like this:
You may notice that sometimes when interacting with reCAPTCHA, it will just let you through without actually prompting a verification. This is because reCAPTCHA does calculations based on some factors to determine if you are suspicious enough to warrant a challenge. The exact factors are not publicly documented, but it has been speculated to include things such as the user’s behaviour on the page, their browser history, connection to Google services, and more.
So how is this useful? And what happens after we’ve done the reCAPTCHA challenge?
When a web page sends a request to a back-end service (e.g. on a form submission), the back-end service wants to be able to verify that whoever sent that request is not a robot. To help with this, the web page receives a token from Google reCAPTCHA when a reCAPTCHA challenge is completed, and this token can then be passed along to the back-end with the rest of the intended request. When the back-end receives the request, it will contain the usual contents of the request (e.g. form data), as well as the reCAPTCHA token. It can then verifies the token with reCAPTCHA, which will tell the back-end that whoever made that request passed/fail the verification challenge, so it can process the request as normal.
And what about reCAPTCHA v3?
Like the invisible reCAPTCHA, with reCAPTCHA v3, all the user sees is the reCAPTCHA badge. However, unlike the reCAPTCHA v2, v3 does not prompt the user with a reCAPTCHA challenge when they are deemed suspicious. The UI still obtains a token from reCAPTCHA, and sends the token to the the back-end, but when the back-end verifies that token with reCAPTCHA, instead of getting a pass/fail, the back-end receives a score between 0.0 to 1.0 representing how suspicious the request was. It is then up to the back-end what to do with this information.
While you no longer get the built in verification challenge, reCAPTCHA v3 allows for a number of different benefits, including:
- Custom handling of suspicious behaviour, e.g. triggering an SMS/email verification code, prompting a security question challenge, etc.
- Handling different levels of suspicious behaviour, e.g. prompting verification for requests with a score below a certain threshold, and denying requests with a score below a lower threshold.
- Measuring suspicious activity without obstructing user experience. Since reCAPTCHA v3 does not prompt the user with a verification challenge, it can be implemented on various parts of your website to measure suspicious traffic without interrupting the user flow. This can be useful for gauging the need for further methods of verification before you implement it.
In summary (TL;DR)
While similar in background, reCAPTCHA v2 or v3 have some distinct differences will determine which is more suitable for your use.
reCAPTCHA v2
- Provides built-in verification challenge .
- Prompts verification challenge if behaviour is suspicious.
- Gives a pass/fail result for verification challenge.
- Good for simple bot protection on forms.
reCAPTCHA v3
- No built-in verification.
- Does not interrupt user flow.
- Can be used in conjunction with custom verification methods.
- Good for monitoring suspicious traffic.
In essence, if you’re looking for a simple reCAPTCHA implementation with built-in verification challenge to prevent bot traffic, reCAPTCHA v2 will suffice. If you’re looking to just monitor bot traffic on your site, or create
And that is all for now. If you want to learn more, check out the reCAPTCHA website.
