Why Use reCAPTCHA v2 Invisible in 2024?

Understanding the second version of Google's reCAPTCHA for protection against spam in 2024

in

While user interaction is one of the important pillars of the internet, opening up your website to input from anyone can also attract malicious actors. From spambots flooding contact forms to automated attacks compromising logins, online security is crucial. This is where reCAPTCHA can help.

As a powerful tool developed by Google, reCAPTCHA helps distinguish between humans and bots, filtering out fraudulent activities and safeguarding your website. This article focuses on reCAPTCHA v2 Invisible, a user-friendly – albeit slightly outdated – variant of reCAPTCHA. While reCAPTCHA v3 offers more advanced security and control, v2 Invisible provides a simple alternative that offers slightly better privacy and an easier setup experience for you.

This guide will explore the inner workings of reCAPTCHA v2 Invisible, its benefits, ideal use cases, and implementation steps. We’ll also address security and privacy considerations to ensure you make informed decisions for your website’s security. Finally, we’ll wrap up with why, depending on your situation, reCAPTCHA v2 Invisible might still be a good choice in 2024.

What is CAPTCHA?

CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. It’s essentially a challenge designed to differentiate between humans and automated bots. These challenges come in various forms:

  • Text-based CAPTCHAs: These require users to decipher distorted or obscured text, proving their ability to read complex characters.
  • Image-based CAPTCHAs: These present users with a series of images and ask them to identify specific objects within them.
  • Audio-based CAPTCHAs: These play an audio clip with distorted speech or sounds, requiring users to type the words they hear.

While effective, traditional CAPTCHAs interrupt the user experience, which can be irritating for users. This is where reCAPTCHA steps in.

Enter reCAPTCHA v2 Invisible

Introduced in 1997, reCAPTCHA is Google’s implementation of CAPTCHA. It stands for “reverse CAPTCHA” because the original versions were used not just to filter out bots, but also to take advantage of human reasoning to solve problems that computers found difficult, such as digitizing poor quality scans of books. reCAPTCHA quickly evolved to reduce friction for users, initially by replacing the CAPTCHA with a simple button click, and later making it “invisible” for most users.

Unlike traditional CAPTCHAs that present a visual challenge, reCAPTCHA v2 Invisible operates silently in the background. When a user interacts with your website, reCAPTCHA v2 Invisible analyzes their behavior. This includes factors like mouse movements, typing patterns, time spent on the page, and even Google-related cookies. Based on this analysis, reCAPTCHA makes an internal risk assessment. Users with normal user behavior typically pass this assessment seamlessly. They can submit forms and complete actions without ever noticing the verification process.

However, if the service detects suspicious activity or a very high-risk possibility, it might present a traditional CAPTCHA challenge for further verification. This ensures a balance between user experience and robust security. Unlike the newer reCAPTCHA v3 which provides website admins with the risk assessment score to handle the decision of human vs bot manually, reCAPTCHA v2 invisible makes this decision automatically, reducing overhead.

Benefits of reCAPTCHA v2 Invisible

Compared to the older versions of reCAPTCHA, reCAPTCHA v2 offers a few benefits:

  • Improved User Experience: Unlike traditional CAPTCHAs (including reCAPTCHA v2 checkbox) that can be frustrating and time-consuming, reCAPTCHA v2 Invisible operates silently. Users can complete forms and interact with your website without any additional steps or challenges, leading to a smoother and friction-free experience.
  • Increased Form Completion Rates: Frictionless form submissions with v2 Invisible encourage users to complete actions like signing up for newsletters or making purchases. This can significantly boost conversion rates for your website.
  • Accessibility: Traditional CAPTCHAs can be difficult for users with disabilities, especially those with visual impairments. v2 Invisible eliminates these accessibility concerns up to a certain extent for most users by relying on behavioral analysis instead of visual challenges.

Setting Up reCAPTCHA v2 Invisible in a Formspree Form

Now that you understand how reCAPTCHA v2 Invisible works, it’s time to learn how to implement it in your forms.

Key Registration on Google reCAPTCHA Admin Console

To start using reCAPTCHA v2 Invisible on your website, you must first register for a key pair through the Google reCAPTCHA Admin Console. This pair includes a Site Key and a Secret Key. The Site Key is utilized on the frontend of your website to identify the reCAPTCHA service, while the Secret Key is used on the backend to authenticate user interactions with reCAPTCHA. You can follow this step-by-step guide to register for your reCAPTCHA v2 key pair:

1. Access the Google reCAPTCHA Admin Console

Go to the Google reCAPTCHA Admin Console and make sure you are signed in to your Google account.

2. Create a New reCAPTCHA Key

On the console, click the “Create” button. This initiates the site registration process for the website on which you will use reCAPTCHA.

Registering a new site on the reCAPTCHA admin console.

3. Registering the new site

Now, you will need to provide some details.

  • Label: Enter a descriptive name for your reCAPTCHA instance (e.g., “My Formspree Form”).
  • reCAPTCHA type: Select “reCAPTCHA v2” (not v3) and then select “Invisible reCAPTCHA badge”.
  • Domains: Click “Add domain” and specify the domain(s) where you’ll use the reCAPTCHA key (e.g., your website’s main domain).

Once done, click on the blue Submit button.

4. Obtaining Your Key Pair

Once the registration is complete, you will be able to view your Site Key and Secret Key on the console.

Retrieving the reCAPTCHA v2 keys.

The Site Key needs to be integrated into your website’s frontend code (i.e. your form’s source code) and the Secret Key is meant to be used on the backend to verify the validity of the reCAPTCHA tokens. Make sure to secure it and never reveal it in the public domain.

Setting up the Secret Key on the Backend

Setting up the Secret Key on the backend is straightforward. You need to visit the settings tab of your Formspree form, and make sure that reCAPTCHA is enabled. You can now paste the Secret Key here.

That’s it! Now the final step that remains is to set up the Site Key in your form.

Setting up the Site Key on the Frontend

You can use one of the examples from Google’s documentation on reCAPTCHA v2 to set it up in your Formspree form:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
  <html>

  <head>
    <title>reCAPTCHA v2 Invisible Demo</title>

    <!-- 1. Add the following script to set up the reCAPTCHA library -->
    <script src="https://www.google.com/recaptcha/api.js" async defer>
    </script>

    <!-- 3. Add a script to submit the form when the button is clicked-->
    <script>
      function onSubmit(token) {
        document.getElementById("demo-form").submit();
      }
    </script>

    <style>
      .grecaptcha-badge { 
        visibility: hidden;
      } 
    </style>

  </head>

  <body>

    <form 
      id="demo-form" 
      method="POST" 
      action="https://formspree.io/f/{form_id}">

      <input 
        type="text" 
        name="title" 
        placeholder="Feedback title" />

      <textarea 
        type="text" 
        name="contents" 
        placeholder="Write your feedback here..">
      </textarea>

      <input 
        type="text" 
        name="email" 
        placeholder="Your email address" />

      <!-- 2. Update the submit button with the data- attributes as given below -->
      <button 
        class="g-recaptcha" 
        data-sitekey="YOUR SITE KEY HERE" 
        data-callback="onSubmit">
        Submit
      </button>

    </form>
  </body>

  </html>

You can take a look at some of the other ways in which you can invoke the reCAPTCHA v2 challenge in your forms, such as programmatically binding the challenge to a button or programmatically invoking the challenge.

Hiding the reCAPTCHA Badge

You will notice that even though the reCAPTCHA check process happens in the background, it still shows the tiny reCAPTCHA badge at the bottom right of your webpage:

Google allows you to hide this badge if you’d like to, on the condition that you include the following text on your website somewhere it is clearly visible:

  This site is protected by reCAPTCHA and the Google
    <a href="https://policies.google.com/privacy">Privacy Policy</a> and
    <a href="https://policies.google.com/terms">Terms of Service</a> apply.

You can hide the reCAPTCHA v2 badge by adding the following CSS to your webpage:

  .grecaptcha-badge { 
    visibility: hidden;
  }

This will hide the reCAPTCHA badge. Some people also try setting display: none; but it has been reported to turn the spam checking off, so it’s best to use the visibility: hidden property as recommended by Google.

Security & Privacy Considerations

We think reCAPTCHA v2 offers slightly better privacy compared to the new reCAPTCHA v3. Here are a few points around privacy and security offered by reCAPTCHA v2 invisible that you must know:

  • Privacy Advantage: Compared to its successor, reCAPTCHA v3, v2 Invisible offers a slight edge in data privacy. v3 requires integration across multiple pages to build a more comprehensive risk profile, potentially collecting more user data. v2 Invisible, on the other hand, can be limited to just the page where the protected form is hosted. This reduces the amount of user data collected.
  • Data Collection and Anonymity: Like most web services, reCAPTCHA v2 Invisible collects some user data for analysis. This data includes browser information, IP address, and user behavior patterns like mouse movements and typing cadence. However, Google assures users that this data is anonymized and used solely to improve the effectiveness of reCAPTCHA.
  • Accessibility: reCAPTCHA is intended to be accessible for users relying on screen readers or other assistive technologies when configured correctly. Read more on Google’s website

Conclusion: Does reCAPTCHA v2 Invisible Still Make sense in 2024?

Since reCAPTCHA v3 came out, it does not make a lot of sense to continue using reCAPTCHA v2 in most situations. However, if your requirements matches one or more of those listed below, you might be better off with reCAPTCHA v2 invisible:

  • Simpler Setup: v2 Invisible requires less code and configuration than v3. If you need a quick and easy solution, v2 might be easier to implement.
  • Easy to Customize: If your website has specific actions where you require stricter verification (like high-value transactions), v2’s challenge can provide a stronger verification step without much effort from your part. You will need to set the security preference of your site to “Most secure” in the reCAPTCHA admin console for this. This way, v2 invisible handles the risk score internally, freeing you up of the backend work you’d otherwise have to do (such as in the case of v3).

  • Potentially better privacy: As mentioned above, v2 can be limited to the page where your form is displayed. This can reduce the footprint of google’s data collection and offer slightly improved privacy.

Ultimately, the choice of using v2 Invisible comes down to your specific security needs and desired user experience.


Got Feedback?