New Google API simplifies the reCAPTCHA experience

Google has simplified the authentication process by introducing an updated CAPTCHA that simply asks users whether they are a bot.

Google’s new API simplifies the reCAPTCHA experience, product manager Vinay Shet said.

Google has provided a significant update to its reCAPTCHA authentication system with the intent to simplify the process. The CAPTCHA is a type of challenge-response test used to determine whether or not the entity that is requesting the access to a resource is human. CAPTCHA systems are used to protect websites from spam bots and web crawlers.  Google, rather than have users authenticating to an online service try to decipher blurred text, has simplified the process by simply asking its users whether they are a bot agent. Just one click allows users to be authenticated the requested service.

In reality, the improvement of the reCAPTCHA authentication system was driven by the need to improve the efficiency of the process, according Google in fact, bots have a success rate close to 100 percent in solving traditional CAPTCHA challenges.

Earlier this year, Google improved it reCAPTCHA process introducing an approach based on a risk analysis of the user as explained by the company:

“A few months ago, we announced an improved version of reCAPTCHA that uses advanced risk analysis techniques to distinguish humans from machines. This enabled us to relax the text distortions and show our users CAPTCHAs that adapt to their risk profiles. In other words, with a high likelihood, our valid human users would see CAPTCHAs that they would find easy to solve. Abusive traffic, on the other hand, would get CAPTCHAs designed to stop them in their tracks.”

In other words, the complexity of the challenge proposed to the user linked to the likelihood that a human is trying to be authenticated to a service. Google applied a similar algorithm to audio CAPTCHAs based on the risk reputation of the user. When the new reCAPTCHA process will not be able to evaluate the risk associated with the user, Google will continue to display a classic CAPTCHA image to solve. To improve the authentication experience of the mobile users, Google may present with a challenge image, and a grid of nine images and asks to select all those that match.

“The new API is the next step in this steady evolution,” Shet added. “Now, humans can just check the box and in most cases, they’re through the challenge.”

Shet also commented the adoption of the new CAPTCHA made by some users in the last week revealing that it was a very positive experience in term of performance.

“For example, in the last week, more than 60% of WordPress’ traffic and more than 80% of Humble Bundle’s traffic on reCAPTCHA encountered the No CAPTCHA experience—users got to these sites faster,” Shet said. “Humans, we’ll continue our work to keep the Internet safe and easy to use. Abusive bots and scripts, it’ll only get worse—sorry we’re (still) not sorry.”

Google confirmed that Snapchat, WordPress and Humble Bundle have already adopters the noCAPTCHA API.

Pierluigi Paganini

(Security Affairs –  Google, reCAPTCHA)