Google’s New reCAPTCHA API Replaces Distorted Text with a Checkbox

recaptchaFor the past several years, Google’s reCAPTCHA has verified a user’s humanity by forcing you to decipher warped, nonsensical text. reCAPTCHA’s method of protecting websites from spam has long put the burden on the user to prove that he is not an abusive bot.

This is all about to change as a result of Google’s most recent research, which indicates that smart bots are able to solve even the most distorted text puzzles with more than 99% accuracy. Since the CAPTCHA puzzles are often infuriating to humans and ineffective at stopping bots, Google put its efforts toward developing a better user experience.

Today, Vinay Shet, Google’s Product Manager for reCAPTCHA, announced a new API called “No CAPTCHA reCAPTCHA.” This API utilizes an Advanced Risk Analysis engine that is capable of discerning between users and bots. The best part is that the interface has been simplified to a checkbox, a vast improvement over reCAPTCHA’s alphabet soup scramble.

photo credit: Google Online Security Blog
photo credit: Google Online Security Blog

WordPress.org is already using the new “No CAPTCHA reCAPTCHA” API and, according to the announcement, is providing users with a faster registration experience:

Early adopters, like Snapchat, WordPress, Humble Bundle, and several others are already seeing great results with this new API. For example, in the last week, more than 60% of WordPress’ traffic and more than 80% of Humble Bundle’s traffic on reCAPTCHA encountered the No CAPTCHA experience—users got to these sites faster.

Several dozen WordPress plugins integrate reCAPTCHA in one way or another to protect sites from bad bots. Plugins that integrate the new “No CAPTCHA reCAPTCHA” API will allow many users to pass through by simply checking a box. However, it does provide a fallback to the scrambled letters in cases where the Advanced Risk Analysis engine isn’t able to confidently assume that a user is human.

A cursory examination of the changelogs on several reCAPTCHA plugins shows that plugin authors have not yet updated their extensions to indicate compatibility with the new API. Given that the user experience of the checkbox is far superior to distorted letters, we’re likely to see more developers take advantage of reCAPTCHA’s new API in the coming days. Does the new API make you more likely to use reCAPTCHA?

22 Comments


  1. Good news, previous captcha was nightmare for me. So many times I did it after few fails :D
    This new looks much better.

    Report


    1. That works because you aren’t being targeted by spammers. Once you are are targeted, or the software you are using is targeted, then you get inundated.

      Report


  2. Entirely and utterly agree with Andy! On all sites (my own and those of clients) I use honeypot fields and I hardly have any problems. Instead of analysing the risk they should analyse how much online revenue is lost by letting potential buyers jump through all kinds of hoops!

    Report


  3. Andy, Piet, David Walsh’s solution works for him because it is a “club” solution. This article from 2002 is worth a read:
    http://web.archive.org/web/20110607161529/http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions

    Basically, such a honeypot concept only works because not everybody has it, and it’s not worth the spammers time to work around your “fix”. Quite simply, they’re trying to spam thousands of sites, not just yours. If such a solution was to become commonplace, then it would become worth their time to work around it (and working around it is trivial), and suddenly it would not work anymore.

    Any solution to “spam” has to account for everybody. You can solve it for yourself, but that does not scale. Scaling a spam prevention mechanism requires a lot more work than something quite as simple as that.

    Report


    1. Thanks for your explanation, Samuel. Happy that the honeypot is not mainstream yet then and here’s hoping it never will :)

      Report


  4. I don’t think they’re explaining everything they’re doing in that post. I’m assuming they’re doing a combination of what I suggested here, http://geek.ryanhellyer.net/2014/06/04/spam-epiphany/. With the addition of a non text-based CAPTCHA as a fallback. But they’re still using text-based CAPTCHA’s too sometimes, since those are still more powerful than those image based ones since you can’t just take a potshot guess at the answer since there are too many combinations to choose from.

    I’m sure this is an improved implementation for them, but it is not revolutionary. In fact I’m running a test version of this exact type of setup (not identical of course) on my own site right now, with the exception that I haven’t implemented a non-text based CAPTCHA fallback. This will eventually be rolled into my Spam Destroyer plugin once I’ve ironed out the bugs and added a few more features to it.

    Report


  5. At this time, the new Google spamcheck is flagging screen reader users as spammers, forcing us to use the absolutely horrible garbled audio challenge instead, which creates a lot of frustration. I sincerely hope they fix this.

    Report


    1. Is it worse than the old ReCAPTCHA?

      Is there a preferred route to handling vision impaired users when it comes to CAPTCHA’s?

      Report


    1. That is not better, it’s just different. It will not protect you against extreme spam situations.

      Report


    1. I just installed your plugin on one of my client sites, but I noticed you did not add the conditional under the Advanced tab as with Gravity Forms current reCaptcha implementation, such that No Captcha Re Captcha displays when the user enters a value into the form field.

      My client loved the conditional, but it’s now not avail in your implementation, so if you can add that to your plugin, that would be great.

      Other than that, it def solves the problem until Gravity Forms updates.

      Report


  6. A checkbox? I don;t have to tell you that anyone who understand how to manipulate a DOM can simulate one of those without much effort, yeah? That said, we have a nifty captcha tool that requires one to slider a slider.. :P

    Report


    1. You seem to be assuming that it is an HTML checkbox. It could be a fancy JavaScript generated pseudo check-box, in which case it’ll require a quite a bit of effort for someone to work around it.

      Report


  7. I am trying to implement this because I love the simplicity of it but I can’t get it to validate. So another words if it is not checked the form will submit still. Does anyone have any idea to how to make this work? I have read probably ever doc in google about the new recaptcha and still can’t get it to work. Thanks in advance.

    Report


  8. Tried this today and it’s pretty bad. It ads up to 5 seconds processing on that page, and during that processing time it prevents you from logging in, since the captcha is still working in the background. Pressing the login button does nothing thanks to this behavior.

    Honeypots are still the better way to go.

    Report


  9. We recently created an addon for GeoDirectory using the new No CAPTCHA reCAPTCHA API. It killed 100% of bot’s activities in all of our test websites. We are very happy with it so far and so are our users!

    Report

Comments are closed.