reCAPTCHA v2 vs reCAPTCHA v3
CAPTCHA was first invented in 1997 to distinguish a human from a bot performing an action. Back in the day captchas were usually obscured or deformed letters. Before that, we had the simple question verification like “what is 1 + 9” which is simple enough once the bot scrapes it off the page.
In 2007 reCAPTCHA was originally launched and then acquired by Google in 2009. The new thing with reCAPTCHA is that the work effort used to prove you’re a human isn’t wasted. Initially, reCAPTCHA was used in the digitalization of the New York Times and Google Books archive. By presenting the user with images where the OCR had failed you got a human interpretation to add to the OCR results. By combining known and unknown images you could still be confirmed as a human while providing this service.
These days the reCAPTCHA system relies heavily on scoring. By doing behavior analyzes on the user to determine if a bot is suspected or not. If so additional tests can be presented. This is what’s called noCAPTCHA or hidden CAPTCHA. Initially, it was presented with the checkbox “I’m not a robot” and then just ran in the background. If the score was to low upon submission you would be presented with an additional CAPTCHA challenge. These days usually a 3×3 set of images where you should identify specific objects. This is then used to train AI models. Same as with OCR use of CAPTCHA you are presented with a few known ones along with a few fresh ones for you to score. When enough humans have agreed on the scoring for a picture it is feed into the AI model.
Both v2 and v3 use scoring but the main difference is that v2 will give you a pass or fail result while v3 will give you the score. So when should you use one or the other?
v2, hidden or checkbox version is very good for logins and other things that need more hardened protection. When the information is actually submitted to your backend server the user has passed to the reCAPTCHA test. This is a well-proven way to protect the submission assets on your website.
v3 will give you a score of how likely this is a good interaction as they put it. This means that they will probably not only take into consideration whether or not this is a human or about but also if this end-user has been doing malicious things like bulk submissions etc. This can be used for submissions like logins and if the score is low enough you present an extra challenge like v2 reCAPTCHA or two-factor authentication for example.
Say that your building a site like Craigslist from scratch. Use v2 challenges for login and ad submissions to maintain the security and integrity of the information on the site.
Then use v3 in the background on all the ad view pages. If the score is low enough that might indicate that there is a bot from another ad site scraping the information. You can then throttle or block that connection to protect your information on your site and lighten the load on your servers.