lucas' blog


i thought a blog would be quite cool...

Hands-On: Google's new Invisible Captcha

Written by lucas | 6th Jan, 2017

There's a problem with the internet that was first described by Peter Steiner in the early '90s:

On the internet nobody knows you're a dog.

More than 20 years later we still lack a simple method to tell if the entity in front of the keyboard is a human being, an animal or a robot. Perhaps the latter doesn't even have a keyboard but is a curl-script one-liner instead. At first glance we need a so called Turing Test - an algorithm that has the ability to distinguish between humans and bots. Such a test seems to be simple but if it comes to usability and customer orientation, we need to find a test that is hard for bots but easily doable for an average 5-year-old.

Captchas suck!

I have to admit that there are a few people out there who don't mind completing a Captcha or solving a small math problem before submitting the form. However, Captchas evidentially lower conversion rates and the majority of internet users hates them (especially those who don't know anything about their purpose). A system should be built to suit its users, not the other way around.

There's a whole bunch of invisible protection approaches like HiddenFields a.k.a. HoneyPots or randomly assigned field names and so on. If things like that are good enough for your website (i.e. if you don't mind a few script kiddies coming through) you might want to take a look at articles like this.

However, these approaches are Security by Obscurity. They make evil things a little bit more complicated but they are by far no alternative for a real protection. So, if you're looking for an in-depth bot check and not an obscurity solution you're stuck at the beginning: Captchas do suck but there's no alternative!

I'm not a robot!

Luckily, not all Captchas suck that much. In 2013 Google came up with a second version of their reCAPTCHA system a.k.a. NoCaptcha or even better known as This I'm not a Robot Thing. They developed a behavioral based Turing Test that is able to find out whether the website is used by a human or a bot. But still, if Google's test has doubts it presents the user with a picture challenge that users often complain about:

I'm not a robot

Long story short: NoCaptcha is great as long as it stays with No Captcha! If in doubt the user is again confronted with an annoying challenge.

Invisible Captcha

There is hope! In December 2016 Google announced an Invisible Captcha. I signed up for a developer preview on their website and got the instruction guide two weeks later. The secret is straight-forward: Instead of adding the parameters to a div just add them to your submit button like this:

    <!--- Import the recaptcha api --->
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>

    <!--- Create the form with a magic g-recaptcha button --->
    <form id="contact_form" action="/myfiles/form.php" method="post">
        <button class="g-recaptcha" 
                data-callback="mySubmitFunction" 
                data-sitekey="6LfDBQ4UA-YOURPUBLICSITEKEY-6eD">Send
        </button>
    </form>

    <!--- Create a JavaScript Callback-Function that is called if user is a human --->
    <script>
    function mySubmitFunction() {
        $('#contact_form').submit();
    }
    </script>

I combined this code with the jQuery-form-Plugin to send an ajax post request to a php backend that validates the user's response. The backend code stays the same as in version 2 and looks like this:

<?php
    $privatekey = "YOURPRIVATEAPIKEY";
    $response = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".$privatekey."&response=".$_POST['g-recaptcha-response']."&remoteip=".$_SERVER['REMOTE_ADDR']);

    $respdec = json_decode($response);
    if ( isset($respdec->success) && $respdec->success ) {
        // The Captcha was correct
    }
?>

Here you go, the result (Try it!):

What you get in the frontend is a little badge in the lower right-hand corner (hover over it to see it flying in). Aside from the fact that this slide-in thing takes you to Google's terms and privacy policies it's pretty much useless. It makes your users aware of the hidden Captcha. But do they really have to be aware of it? Do they even need to know? At least you can reposition or hide the bagde using css which actually makes sense since we wanted an invisible Captcha.

The real advantage of the new Captcha is that in the best case your users won't see a Captcha at all! But don't celebrate just yet, if you try this several times, you'll get the same obsolete picture puzzle that you're already tired of. The only difference is that the riddle is shown just when the user clicks the submit button - meaning that no checkbox is needed here.

Picture Selection

Wait what - Finding street signs again?! Unfortunately, yes. A couple of weeks ago I read Lisa Vaas' article about Google's new invisible Captcha. It made me believe that Google is finally going to kill the Captcha and is getting rid of these puzzles. In fact, they're getting rid of the checkbox but they are not making it stop. Making it stop implies a technology that is able to separate humans from bots without any clicks or puzzles or image recognition.

It's worth mentioning that Google allows you to adjust the difficulty of your NoCaptcha or Invisible Captcha. In Google's admin panel you'll find a slider to choose between usability and security. As you can see my Captcha is meant to be as easy for users as possible and although most people are not going to see the puzzle, it's still annoying if you're the exception.

Slider

Invisible Captcha is not the expected revolution of NoCaptcha - NoCaptcha has been a revolution itself. What we really need is an improvement of recognition in order to prevent people from even seeing the riddle.

Where to go from here?

What remains is the question what all the fuzz is about. Is this really any better then the well-known NoCaptcha? Yeah sure, with Invisible Captcha Google removes the checkbox which is great but the checkbox was the lesser of two evils. The click on the box didn't hurt that much but what really hurts is clicking all the street signs over and over again...

It seems that the new Captcha is not as invisible as it claims to be. It's a step further but not (yet) the user-friendly Turing Test that the internet needs. The kitten picture was a scam.


Comments