When completing an online form, proving that you’re not a robot can be very annoying. Sometimes even frustrating, especially if the website uses reCAPTCHA or a similar implementation of a system that asks you to decipher some cryptic text.
I don’t use reCAPTCHA on this website, but I do encounter it on other websites. So it was heart-warming to learn that Google has released a new implementation of reCAPTCHA called No CAPTCHA reCAPTCHA that doesn’t come with reCAPTCHA’s annoying aspects.
The official announcement has it that “a significant number of users will be able to securely and easily verify they’re human without actually having to solve a CAPTCHA. Instead, with just a single click, they’ll confirm they are not a robot.”
What’s not to like about that? But is it as simple as that? And how does the system know that the entity completing a form is a human and not an automated script? The simplest way to find out is to try and complete an online form protected from bots by No CAPTCHA reCAPTCHA.
Before I relate my experiences with the demoes, I should point out that the developers do concede that “CAPTCHAs aren’t going away just yet.” And that “In cases when the risk analysis engine can’t confidently predict whether a user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more cues, increasing the number of security checkpoints to confirm the user is valid.”
But in cases where the system is able to determine that a user is a human, how does it know? From my tests, here’s how I think the system knows: Prior login information. Cookies don’t seem to play a part in the ability of No CAPTCHA reCAPTCHA to uniquely identify you.
While logged into a Google property and visiting the official demo website, for example, No CAPTCHA reCAPTCHA was able to accurately determine that the entity submitting the form was not a robot. Figure 1 was taken from that attempt.
However, visiting the same demo website from browsers that I’ve never used to log into a Google property, the system was not able to identify me. And that’s true whether the browsers were configured to accept Cookies or not.
So it appears that the “significant number of users” that “will be able to securely and easily verify they’re human without actually having to solve a CAPTCHA” will be those already logged into the website. For the other very significant number of users that the system cannot uniquely identify, it will try the old technique – shove a reCAPTCHA in there faces.
So the benefit of No CAPTCHA reCAPTCHA is very minimal, unless there’s something that I’m missing.