Back to blog
reCaptcha v2 vs reCaptcha v3 What to Choose

The Internet is a dangerous place. Hordes of soulless digital bots are lurking among the Web. And their prey is weak websites. Throwing a newborn, defenseless site to the net is like walking amongst the pandemic while having zero immunity. 

Captchas are tools that provide bare minimum protection, necessary for the site to survive. Without it, the site will be quickly overwhelmed with infectious malware, DDoS(denial-of-service) attacks, different forms of fraud, and data hijacks.

reCaptcha provides means to distinguish between humans and bots trying to gain access to the site. Among its long history, there were quite a few variations of Captcha. But nowadays the most popular systems are reCaptcha V2 and reCaptcha V3.

Cyber Security Aspect

cyber security lock

The history of the arms race between bots and security measures starts in 2000. It was the year when Yahoo made their free email service, long before Gmail came about. The problem was, anyone with the right knowledge could write a program that registered millions of email addresses. An army of fake accounts to send spam, steal private information and accounts, or commit fraud. 

At that time the CAPTCHA system was created at Carnegie University. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. The Turing test was designed to distinguish whether you are communicating with a computer or a human being.

CAPTCHA was a primitive test which required a user to solve pictured equations. But as time passed,  tools to pass the security, and the security measures, both evolved. 

In 2007 Google brought into light their own free version of Captcha, called reCaptcha. At that point, some bots could with little to no effort surpass the previous kind of protective measures. reCaptcha offered a different type of challenge. Instead of an equation, it offered two different words from scanned books to recognize. In 2012 they added street sign recognition to the reCaptcha. 

That system had its own share of criticism. First of all, users performed unpaid work. The second issue is that over time it became harder for humans to recognize words, as they became more and more distorted. Bots, on the other hand, learned to pass it more and more effectively, thus rendering the protection ineffective. And most importantly, captcha was annoying. 

In 2014 and 2018 Google presented 2 new iterations of reCaptcha v2 and v3 respectively. Both are active up to the date, while v1 was shut down in 2018 due to being no longer effective and conceptually outdated.

Overall CAPTCHA is the most universal tool to prevent bot attacks and abuse. It became a necessity since more than 20 percent of total internet traffic is generated by bad bots. However, bots are learning too, and the smartest of them can beat it. And it can do nothing if the intruder is human.

V2 vs V3

quesion marks

Nowadays, the implemented CAPTCHA system is a must for every site. The only exceptions are the ones what are built with no interaction with guests in mind. 

Among the viable options of reCaptcha version 2 and version 3, which would fit your site the best? Let’s figure it out.

reCaptcha V2

reCaptcha V2 comes in two different flavors. 

“I’m not a robot” checkbox requires a user to click a field to confirm whether they are human or bot. This will either pass them immediately or will require additional confirmation in the form of a pictured challenge, if the user is deemed suspicious by the system.  This is the simplest and closest to v1 option to implement. 

“Invisible” reCaptcha does not need any additional fields. Instead, it integrates into already existing buttons on a web page. The integration requires a JavaScript callback when reCaptcha verification is complete. By default, the most suspicious users will require a captcha challenge.  But site administration can tweak the settings of this function in accordance with their needs. 

reCaptcha V3

Version 3 works in a completely different way. Instead of being a “security lock” it reminds more of a surveillance system. First of all, it integrates into every page of a site instead of stucking  only to contact forms or other similar functions.  It constantly monitors the behavior pattern of every user entering the site and sets the score for their every action to determine whether it`s human or bot. The score ranges from 0.0 to 1.0. If you score 1.0 for the system you are a genuine human.  0.0 means no human can act like that. And everything in between is a “suspicion range”. Scoring 0.8  means you are most likely a human, but some chance of you being bot remains. 

reCaptcha allows the site administration to decide the course of action based on the points scored by the user. You can pass them, challenge to a pictured request similar to the one in reCaptcha v2, or completely block. Will you allow someone who scored 0.2 to browse your site? What about 0.15? The higher the threshold the more likely you are to ban a potential guest or customer. But the lower it is, the bigger the chance of leaking a bot.  

Google does not disclose the actual algorithms of score evaluation. If a hacker learns the algorithm he can write a bot, which imitates a human perfectly. That will render the whole system useless.

According to Mohamed Akrout, a computer science Ph.D. student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. “If you have a Google account it’s more likely you are human,” he says.

It means that reCaptcha v3 works on a whole internet level. Google monitors the user’s behavior not just on any one site, but on every site that has reCaptcha v3 installed. 

On one hand, v3 is a more reliable system indeed. It also user-friendly, it won`t scare them off or annoy them with stupid tests. It’s settings can be tweaked by site administration.

On the other hand, managing this system requires effort. And Google potentially gathers information about the internet users via this system.

It’s a tradeoff. But it also means that v2 is still a viable or sometimes necessary option.

reCaptcha by BestWebSoft

For WordPress users, BestWebSoft offers our reCaptcha plugin, which allows you to implement this system into your site with ease. 

Managing this plugin does not require any coding experience. In-built settings allow you to implement any form of reCaptcha: “invisible” v2, checkbox v2, or reCaptcha v3 and tweak them as you see fit. User Guides are there to help you out with any issues you may encounter. Our customer support is ready to answer any questions you may have. 

Give it a try!

reCaptcha plugin

Conclusion

For the major part of the websites, reCaptcha is a necessity. It provides a decent level of protection against the most common types of bot threats.

There are two versions of reCaptcha supported. Version 2 provides site guests with various tasks to complete in order to gain access to secured functions, it is configured only once and does not require further actions from the administrator. Version 3 is a much less perceivable iteration of reCaptcha, but it requires periodic analysis on the administration side, or otherwise, users risk being unjustifiably banned or the system might leak a number of bots. 

Which version is better depends on what exactly your site needs. Interactive high-traffic sites will benefit more from version 3, but it requires a lot of extra work. If your site is mostly autonomous, with little to no interactions involved, you probably would benefit better from version 2. 

As always, the final choice is up to you.



Popular Posts

Like This Article? Subscribe to Our Monthly Newsletter!

Comments are closed.