What do I do with low Scores in reCAPTCHA v3?

Asked 18/9, 2019 at 17:47 Answered 8/10 at 19:37

I have set up reCAPTCHA v3 on my ASP.NET MVC project. Everything is working fine and is passing back data properly.

So the code below depends on another dll I have, but basically, the response is returned in the form of an object that shows everything that the JSON request passes back, as documented by https://developers.google.com/recaptcha/docs/v3

It all works.

But now that I know the response was successful, and I have a score, what do I do? What happens if the score is .3 or below? Some people recommend having v2 also set up for secondary validation (i.e. the 'choose all the stop signs in this picture' or 'type the word you see'). Is that really the only 'good' option?

Obviously the code isn't perfect yet. I'll probably handle the solution in the AJAX call rather than the controller, but still. What should I do if the score is low?

I read this article reCaptcha v3 handle score callback and it helped a little bit, but I'm still struggling to understand. I don't necessarily need code (although it would never hurt) but just suggestions on what to do.

VIEW:

<script src="https://www.google.com/recaptcha/api.js?render=@Session["reCAPTCHA"]"></script>

grecaptcha.ready(function () {
    grecaptcha.execute('@Session["reCAPTCHA"]', { action: 'homepage' }).then(function (token) {

        $.ajax({
            type: "POST",
            url: "Home/Method",
            data: JSON.stringify({token: token }),
            contentType: "application/json; charset=utf-8",
            dataType: "json",
            success: function (response) {
                console.log('Passed the token successfully');
            },
            failure: function (response) {
                alert(response.d);
            }
        });
  });
  });

CONTROLLER:

[HttpPost]
     public void ReCaptchaValidator(string token)
    {
        ReCaptcha reCaptcha = new ReCaptcha();
        Models.ReCaptcha response = new Models.ReCaptcha();          
        response = reCaptcha.ValidateCaptcha(token);
        //response returns JSON object including sucess and score

        if (response.Success)
        {
             //WHAT DO I DO HERE????
        }
    }

Idel answered 18/9, 2019 at 17:47 Comment(2)

Note that in your code snippet you never actually verified the the score returned from the validation was good or bad. Checking for a successful response does not indicate that the you should let the user proceed, it just means your request was well formed. – Romie 14/12, 2021 at 21:26

Yeah I wasn't worried about the code itself, but I had to put it in here or else people get unnecessarily angry. I was getting the score back, but that wasn't really what the question was about. – Idel 16/12, 2021 at 15:42

Ended up getting the answer from another forum. Basically, the answer is "anything you want". There is no right or wrong when handing a successful response.

So what could be done, is if the response is successful and CAPTCHA doesn't throw a flag, do nothing. But if CAPTCHA is unhappy, you could display an alert or a banner that says 'could not process', or you could even add in CAPTCA version 2, which would make them do the picture test or the 'I am not a robot' checkbox, etc.

Idel answered 5/12, 2019 at 19:28 Comment(1)

Same problem here. Client is not happy that there is simply NO captcha shown if score is low, and we all know how often we had to solve captchas due to "low" score on websites. Recaptcha v3 is weird therefore. I ended up using V3, and if score is low, then Recaptcha V2 is loaded to present a captcha. – Intervale 6/3 at 18:43

Maybe it's not what you're looking for, but you can set a lower score while you find a better solution... I'm considering to switch back to v2

Acquisitive answered 8/10 at 19:37 Comment(0)

Recommended topics

Hot tags