Since purchasing reCAPTCHA in 2009, Google has been working to make the tool less interruptive for users and more effective at boosting site security. Last year, Google released the long-awaited third iteration reCAPTCHA and it’s already proving to be worth the wait.

As Google begins to phase in v3, it looks like the days of needlessly solving math problems and identifying pictures of street signs are finally coming to an end! While many internet users (like us) are thrilled, we wanted to take the time answer some questions you might have like ‘How does v3 differ from its predecessors?’, or ‘What does it mean for my business?’, and the all-important ‘How does it actually work?’.

Back in the 90s, engineers at Carnegie Mellon devised a system called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to increase site security by filtering spambots from websites. When a person visited a page possessing CAPTCHA, they’d be asked to authenticate that they were human by completing a challenge. The theory behind this design choice was that humans were smarter than bots, so only humans could pass the challenges.

Developers eventually realized that certain types of these challenges could also serve a higher purpose than user authentication, leading to the development of reverse CAPTCHA (or reCAPTCHA). These new challenges would now primarily involve deciphering blurry text phrases to help digitize books and old manuscripts. However, soon after acquiring the technology, Google realized that this application of CAPTCHA was still disruptive to UX. Their solution? Take problem-solving out of the process entirely – simply checking a box would now be sufficient verification that you weren’t a bot. This was reCAPTCHA v2.

While this fix seems like it would be a welcome one, there was still a problem: reCAPTCHA v2’s one-time verification didn’t fit every instance it was applied to. Furthermore, Google believed that user authentication could still be less cumbersome, more effective, and eventually invisible to the user altogether. reCAPTCHA v3 is the first step in realizing that goal.

Rather than using traditional challenges, reCAPTCHA v3 runs in the background and uses extensive risk-analysis to determine if you’re a bot. Below is an example to help you really understand how it works.

Imagine you have a website for your business and you notice traffic is high on a number of pages, but your conversions stay the same. You want to make sure that this increase in traffic is organic so you apply reCAPTCHA v3 to a few key pages. Now, every user who attempts to access these pages is given a score from 0 to 1. A score of 0 is considered very likely to be a bot, while a score of 1 is considered very likely to be a human.

After letting v3 run in the background of these key pages for a while, you decide to dig deeper. You look into the data provided by v3 and notice there’s a high level of activity from low-scoring users on your one of your key pages. With these scores, you can now do a few things to boost your site security:

• You can set a threshold to determine when a new user is required to provide additional verification (ex. all scores below .6 are required to enter a code that’s texted to a number).
• You can combine the score with your own signals that reCAPTCHA can’t access (such as user profiles or transaction histories) to ensure a holistic review of each request.
• You can also train your machine learning models to fend off bots more effectively.

In this scenario, you decide to mandate that all users below a score of .4 confirm they’re not a bot by entering a PIN number that’s texted to them. You then happily watch as bot traffic on these pages decreases (due to bots being unable to verify themselves); reCAPTCHA v3 has done its job of fending off potentially malicious traffic from your site without having to interrupt any one true user’s experience!

However, it should be noted that v3 works best when it’s had time to analyze what typical organic interactions look like across your website, so it needs to be applied in many different places on your site!

The release of reCAPTCHA v3 is a sign that site security is becoming more automated and effective with each passing year. Since user authentication is automated in v3, you no longer have to choose whether to prioritize security or user experience for your website. V3’s scoring system also enables more autonomy in how exactly you handle suspicious traffic entering and leaving your site.

reCAPTCHA v3 is quickly proving to be the coveted first step towards truly seamless and powerful site security, and thankfully, it seems to be here to stay. While tools like v3 are vital components to building powerful and secure websites, figuring out how to properly integrate them is only one piece of the puzzle. Luckily, you don’t have to worry about that when you work with us. We at Seven Ages Design have spent years perfecting our process to consistently deliver custom websites to our clients that look and feel great across every platform, while keeping security at the forefront.

If you’re looking to build a website for your business that’s both beautiful and secure, contact Seven Ages Design to get started!