introducing reCAPTCHA Enterprise
Google’s Advanced Bot Detection and Protection Solution.
Google has been protecting websites with its reCAPTCHA service for over a decade. But, with the introduction of reCAPTCHA Enterprise, they’ve gone a step further. This innovative technology uses cutting-edge risk analysis tools, such as machine learning, to distinguish between humans and bots. One of the most notable advantages of this system is that it gives users with more comprehensive risky event scores and explanation codes, allowing them to take more targeted action against potential dangers. reCAPTCHA Enterprise also includes mobile app SDKs and the flexibility to fine-tune site-specific models, making it a comprehensive and robust enterprise solution.
Understanding the Workflow
Here is a sample diagram that can help you understand the basic flow for securing your applications from bots. However, it’s important to note that there may be other flows that differ from the one shown below. This particular diagram is intended to provide a general understanding of the flow using score based site keys which is currently the recommended way.
- As depicted in the above picture, in step 1.1, when a user enters the domain name using the Chrome browser, the request is sent to the backend. Then, in step 1.2, the website content is loaded.
- Once the webpage is loaded, we proceed to load the reCaptcha JS from reCaptcha Enterprise in step 1.3. This is accomplished through the code that is included in our static content, which looks something like this:
<script src=https://www.google.com/recaptcha/enterprise.js?render=site_key></script>- As soon as the reCaptcha JS starts running in the background, it begins collecting user signals in step 1.4.
- At a later stage in the flow, when the user decides to perform a login action (it doesn’t necessarily have to be an action — we can also listen to the entire session) in step 2.1 which is protected by us, we send (2.2) the collected signals to reCaptcha Enterprise so that it can analyze them.
- After the analysis is complete, reCaptcha Enterprise returns an encrypted token to us in step 2.3.
- In step 2.4, we include the token in the request header and send it to the backend as illustrated above.
- In step 2.5, our backend receives an encrypted token from the web page but cannot interpret its meaning. To clarify the token’s validity, the backend sends a request to reCaptcha Enterprise for verification.
- reCaptcha Enterprise evaluates the token and provides the user score along with additional information like reason_code in step 2.6
- In Last step 2.7, based on the score received from reCaptcha Enterprise, the backend determines whether to allow or deny the user. Denying the user in this context means that they are most likely a robot. To add even more certainty, the user may be prompted with a checkbox recaptcha
reCAPTCHA key types
As you might have understood, we have used score based keys in the above diagram which is also recommended by google. But what are these key types? reCAPTCHA Enterprise offers two types of site keys to authenticate user interactions on web pages and mobile applications:
- score-based (no challenge)
- checkbox (checkbox challenge)
For every request, both types of keys can potentially generate a score based on the user’s interactions with the site or application, enabling you to assess the level of risk associated with each interaction and take appropriate action. It is advisable to use score-based challenges rather than checkbox challenges, as checkbox challenges require manual interaction(find bridges in picture 🤢) and can be difficult for users. Moreover, checkbox challenges do not support mobile platforms.
reCAPTCHA without custom Backend
Up to this point, we have been discussing the backend’s responsibility of generating assessment requests to reCaptcha Enterprise and making decisions based on the score. But, if you want to avoid creating custom verifications for reCaptcha Enterprise, you can leverage the seamless integration between Cloud Armor and reCaptcha Enterprise. WAF service providers use policies to filter traffic based on certain conditions in order to control access to applications or services. These policies include conditions such as IP address, IP range, region code, or request headers of an incoming request. For instance, Google Cloud Armor uses security policies to achieve this.
The diagram for illustrating the integration of reCaptcha Enterprise with Cloud Armor is similar to the one mentioned earlier. The only change required is replacing the backend component with Cloud Armor.
In the diagram shown above, you can observe that a new component called Armor has been introduced, which essentially replaces the Backend tasks that were previously required. As depicted in step 2.7, Cloud Armor utilizes pre-configured security policies to determine the appropriate allow or deny action. You may be wondering why the Backend component is still present in the diagram. However, it’s important to note that having a backend is still necessary as it performs your business logic. By using Cloud Armor, you are able to decouple reCaptcha-specific code from your backend and instead delegate that responsibility to Armor.
When using Cloud Armor, all types of reCAPTCHA keys can still be used. There are some minor differences between using different key types, such as where tokens are saved (e.g. cookies or request headers), but the overall flow is similar. However, there is one major limitation to be aware of: the integration of reCAPTCHA Enterprise with Cloud Armor is currently only available with the classic load balancer.
Conclusion
In conclusion, reCAPTCHA Enterprise from Google is an advanced bot detection and protection solution that offers several benefits. It utilizes cutting-edge risk analysis tools, including machine learning, to accurately differentiate between humans and bots. The system provides users with comprehensive event scores and explanation codes, empowering them to take targeted action against potential threats. Additionally, reCAPTCHA Enterprise includes mobile app SDKs and allows for fine-tuning of site-specific models, making it a comprehensive and robust solution for enterprises.
However, it’s important to acknowledge some limitations of reCAPTCHA. While it offers effective bot detection, it may sometimes generate false positives, flagging legitimate users as bots. This can result in a frustrating user experience and potential loss of genuine traffic. Moreover, the integration of reCAPTCHA Enterprise with Cloud Armor is currently limited to the classic load balancer, which may restrict its applicability for certain infrastructure setups.
Despite these limitations, reCAPTCHA Enterprise remains a valuable tool for protecting websites and applications against automated attacks and ensuring the security and integrity of online interactions. Its sophisticated risk analysis capabilities and flexibility make it a trusted choice for organisations seeking advanced bot detection and protection measures.
