Login/Register
Does google reCAPTCHA v3 score drop after many requests?
Asked Answered
recaptchacaptcharecaptcha-v3
A

1

10

I would expect recaptcha v3's score to drop if a user (or bot) repeated does the same thing, however that doesn't seem to be the case.

Here's a brief extract from my logs while I try different passwords at login on a site I'm building.

2018-07-19T17:24:04.580129+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:08.764677+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:11.441256+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:14.697840+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:17.074292+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:19.477029+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:21.962033+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:25:14.458404+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:25:18.515887+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:25:21.599782+00:00: grecaptcha success, score=0.900, action=login_password

Is this a problem with v3 in beta, would the score drop if I tried a lot more times (hundreds) or is the score constant for a given session regardless of user behaviour?

Sorry if this is too product specific, but google don't seem to suggest anywhere better to ask such questions and they often do recommend SO.

Acupuncture answered 19/7, 2018 at 17:35 Comment(0)
E
22

well, i have tested recaptcha v3 in many ways....

good things are:

  • Most of embedded browsers unable to pass its all security checks (so far i haven't found the one) but real browsers like, internet explorer, Firefox, safari, chrome etc etc can easily passes all checks.
  • It don't require user input or interaction, so, user experience on your website remains the same.

Bad things are:

  • If you try to solve captcha when you are not logged in to your google account than score returned by recaptcha will be lower than the one when you logged in to your google account in browser
  • after like 50 requests google keep sending lower score like 0.3-0.5 even if you are human (and right now, any one can open 50 pages within 10mint due to high end devices, internet speed etc etc)
  • it seems like google blocking user ip address, means, if your score for website A is 0.3 than you will most likely get 0.3 score for website B as well. That means, if you spam website having recaptcha v3 than you get spammer for whole websites having recaptcha v3 (its a bad thing for website owner because spammer for one website can be a good customer for another one)

Update (21/08/2019)

  • Recaptcha v3 is a bit updated now, and now you can consider score equal or lower than 0.3 as spam (that score received if end user doing some automation over your website or doing some scripting task)
  • All legit users get 0.9-0.7 score but it is still returning 0.3 score sometimes to legit users but on refresh it automatically get fixed and user get proper score but still its a bug or something went wrong with scoring. So, its better to check if score <= 0.3 than its spam, otherwise not.

Update (13/02/2021)

  • Recaptcha V3 study web page by monitoring user interaction with it and give scores accordingly, means if your site get many spam requests than its obvious that any legit user will get spam/lower score, which makes recaptcha v3 useless to use over site having higher spam rate.
  • Recaptcha v3 is now better than before, so, you can mark request as spam if score is lower than 0.5 (which was 0.3 before)
Escargot answered 4/9, 2018 at 16:36 Comment(13)
I work with site that use v3 and some users with first actions gets score of 0.3 and even 0.1 (while 70k+ request are >0.5 ~10k are <0.5). .. What can i do? How to know if i can or not let score <0.5 users in or not?Wesleywesleyan
There's not any clear way of doing something for better score but as per my check, if you are logged in to your google account & using chrome browser, its very much better. well the reality is, machine tells you that you are not a human (even if you are) & human can't bypass this machine's security, only machine can do that. According to me, this type of silent solution to check humanity score is useless, its better to use Recaptcha V2 by asking users to verify only for the first time. I know the services which offer to bypass Recaptcha V2 but a little bit spam is better than nothing.Escargot
Well but then it would be the same if i let users with score 0.1 use service or maybe even v3 then is better . .. I love v3 as user has no need to fill captchaWesleywesleyan
yes, Recaptcha V3 is good in certain way like collecting information about your website only from users having higher score and than it will be used for marketing campaign and all. Also at contact form just to test if user has >0.3 score than its good to proceed or better to answer query. But its bad to use at comment or rating or review form of website. Its not intended to create for it. Recaptcha V2 is for that purpose.Escargot
Ok thanks for your effort! I think i will still use V3 and maybe add some simple text image captcha if score will be under 0.5Wesleywesleyan
I'm currently testing my website at work (a hospital), and I keep getting low scores on my work computer (between 0.1 and 0.3). I haven't spammed my own website from this location, maybe 10-20 requests. I use Google Chrome on my work PC and I am logged in to that browser with my own Google Account, so it seems very strange to me that reCAPTCHA v3 marks me as a bot with such a low score...Micronutrient
@LaurensSwart are you using any VPN or any proxy enabled to your browser, kindly check it. Also if you are testing recaptcha from localhost than its obvious that you get low score which won't be the problem in live environment, so, don't worry about it. mostly you can ignore the request having lower score than 0.5Escargot
Same email address score has been marked with different score. For ex while testing first time it returns 0.3 then after some time interval it returns 0.9 . How same email address returns different score over time @EscargotBarytes
@Barytes that's how recaptcha v3 react and depending only on score won't be a good idea, you should have to use another measure with it.Escargot
Thanks for the updating, currently I only lazy load reCaptcha when the user submit the form. I use reCaptcha to prevent bot from scaping my site by automatically submiting the form. Do I really need to load reCaptcha for every page, I don't want to block any legitimate users.Douglassdougy
@Escargot My hospital computer is a virtual machine that is located somewhere else, yes. So if that counts as a VPN, then yes. But many reputable institutions use virtual machines that are hosted elsewhere. That shouldn't make them automatically get a low reCaptcha score, right?Micronutrient
@LaurensSwart not necessarily, no - but from the standpoint of Google's reCAPTCHA servers and the information given, all they see are several hundred devices all from a single location, which is also one aspect that you may see from spamming devices. It's one data point, but if it's the only data point (i.e. no additional usage data from your browsing session) it wouldn't be advisable to assume it's not a bot. It's a tough balance to strike, for sure. Did you end up implementing reCAPTCHA? (sorry for the necro-comment)Erode
@Erode Yeah, not sure what changed exactly but it did end up working in the end.Micronutrient

© 2022 - 2024 — McMap. All rights reserved.