How does Google’s No CAPTCHA reCAPTCHA work?

Many websites have started integrating Google’s new No Captcha reCaptcha. It has a better anti-bot protection and user experience.

Most don’t know how it actually works. In this article I will explain various techniques used by Google to detect bots.

Is is a check box?

Google asks users to click the check box to verify that they are not bot. Even a bot can click a check box so how does it protect? Well its not actually a check box its a div inside a iframe.

It actually create a virtual checkbox inside the iframe and user clicks the virtual check box. Google also inserts a invisible textarea inside the form. Google populates the textarea with a unique value indicating weather the user is a bot or not. We will see how it finds bot or not later on in this article.

Text inside the textarea is a unique value, true and false indicating human or bot is stored in Google servers. We need to retrieve the boolean using this unique value once form is submitted. And than act accordingly.

Why can’t bots emulate mouse click?

Most bots don’t run JavaScript therefore they won’t see the reCaptcha and therefore no textarea is embedded. We can detect this server side and find its bot or not by checking if textarea is present or not while submitting the form.

There are some bots who run JavaScript code. But they will not click on virtual checkbox because its not a checkbox for them its just a graphics.

If you design a bot specific for a website then obviously that bot can emulate a mouse click. Emulating a mouse click is not enough to bypass this security. There are a lots of other things that Google considers.

Factors on which Google depends to detect bots?

Clicking on the virtual checkbox is not the only factor. Google also relies pattern of movements of mouse that differences humans and bots. It looks for overall user engagement with the captcha. It also uses user time on page algorithms, bots IP addresses database, HTTP referer, number of requests etc. We still don’t know all the methods used by Google to detect bots.

Google’s new reCaptcha also uses algorithms of Google Analytic’s and Google Adsense to detect bots. Google Analytics detection methods prevent bots from increasing page views and Google Adsense algorithms prevent fraud clicks on ads.

What if its unsure?

Sometimes Google is unsure weather its a bot or human submitting the form. In that case it asks the user to validate the old style captcha in desktop and image clue style for mobile phones.

On Desktop

On Phones

Once it displays this extra validation step it also starts a form expiration timer. This is done to prevent bots from solving captcha’s.

Should you replace reCaptcha with No Captcha reCaptcha

According to Google this new model provides the higher level of protection than the old model. This new model has a better user experience then the old one. Therefore you should replace old one with the new one.