The new Google Invisible reCaptcha - invisible or not? - recaptcha

Google announced Invisible ReCAPTCHA is coming soon. For now, if you want to integrate the new reCAPTCHA to your site or app you can register here.
I do have 2 site keys whitelisted for the new Invisible reCaptcha and I've started "playing" with their examples: see them here https://developers.google.com/recaptcha/docs/invisible
Yes, when the page loads the recaptcha is invisible but when the form is submitted the recaptcha challenge appears all the time. You have to click on images, draw something around something else... etc
I've been testing this on different servers, 2 different sites which have the site key approved to use the Invisible reCaptcha, with different browsers form different locations. Same behavior: Google shows the challenge when the form is submitted on all 3 examples they have on their page.
Is this what we should expect?

Just as with the checkbox, if it can't reliably determine if you aren't a bot, you get a challenge. I can confirm that the invisible part does work when you are detected as a human.

Actually you have to approve the Terms of Service when you create a new reCAPTCHA site, that says that
You agree to explicitly inform visitors to your site that you have implemented the Invisible reCAPTCHA on your site and that their use of the Invisible reCAPTCHA is subject to the Google Privacy Policy and Terms of Use.

Related

Whitelist IP for invisible reCaptcha v2

Our customer service is an important user of our website. When doing their work they frequently send requests to the part of our website that is protected by invisible reCaptcha (v2). For that reason I think their actions are being marked as suspicion by reCaptcha and they keep getting the reCaptcha where you need to select photo's with a certain image, this makes their work has become quite a bit more time consuming. Is their a solution for this? Perhaps by whitelisting our IP so traffic from our IP will never be suspicious, and the reCaptcha with the images will not show?
I couldn't find the answer in the documentation so hope that someone can help!

Google reCAPCTHA v3 should go in every page or not?

I'm migrating from Google reCAPTCHA v2 to v3. As they are quite different, I have a question.
I used to place my reCAPTCHA v2 only inside web pages where a form exists, to make users click and avoid bots. That's understood, ok, but with reCAPTCHA v3 there is NOT a checkbox where to click on (reCAPTCHA v3 analyzes the user behaviour and clicks).
So... should I place the reCAPTCHA v3 just in forms pages or should I place it in all and every pages I have (to make recaptcha observe how the user interacts with the web)?
I would disagree with Galzor’s answer. The documentation says that
The score is based on interactions with your site and enables you to take an appropriate action for your site.
It’s “site” and not page. It goes on to say
reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
To me that last sentence means “every page with analytics on my site” — i.e. every page, whether it has a form on it or not. Which then gives rise to all sorts of privacy concerns, see also here.
Now my question is: what does the “reCAPTCHA verification” refer to? Including the api.js script or executing something or… 🤔
Unfortunately, the docs don’t spell this out clearly.
Addendum
(Feb 2023)
I switched to hCaptcha and their docs are also somewhat unclear. However, their customer service responded with
You should add the script and the DOM container with hCaptcha widget only on the contact form page and then call our /siteverify endpoint to validate the user.
and
Same scenario for second case, add it only on the sign up page and if validated within our side the user should be able to log in.
Based on that response I added the CAPTCHA only to the Contact page of my website and to the Sign Up page of the webapp.
Not sure this would also apply to Google’s CAPTCHA, though.
I dont think it should go into every page. mostly the users will find it too intrusive on all pages. in my opinion use it on page with form only.

How can I build a webapp which uses google calendar api without having to become verified?

What I want to build:
I want to build a website where users can connect their google calendars (this will use Google Calendar API's)
and view their calendar events, as well as edit them, and create new ones.
My problem:
In order to do so, google says my app needs to be verified, which can take weeks, and I also need to set up terms of services pages, privacy policy pages
I also need to supply authorised javascript origins which MUST start with https, which of course is a problem during development, since my origin is http://localhost
I also need to set up support emails and homepage link
Question
I just want to start building my application without having to set up a whole production-ready website eco system.
Is there anyway I can use these Google Calendar APIs for editing/creating calendar events locally, without having to set up everything mentioned above first?
Unverified apps can still be used by the developer who created the project on google developer console.
Unverified app screen
The app or script might display an "unverified app" screen before it displays the consent screen. This is based on the specific scopes that your app includes in the request.
You can still work on your app while you are going though the verification process. However that being said i would start that process asap it can take a long time to get verified.
Yes, you can. As far as I am able to tell, all the verification step does is remove the "unverified app" screen. As long as you click Advanced > Go To ... (unsafe), you should be able to create and edit calendar events for that user in your application.
In order to be able to create and edit calendar events, you need to use the most sensitive scope, which is https://www.googleapis.com/auth/calendar. I couldn't figure out how to edit and create calendar events in my web app until I changed my scope from calendar.events to calendar.
Creating Events: https://developers.google.com/calendar/create-events

Newsletter signup for Mailchimp : Recaptcha not showing

Originally I use Mailchimp embed form for newsletter signup.
But it was not reCAPTCHA enabled. It worked well but few hours ago, I noticed large amount of spam signups at Mailchimp.
So I was going to add reCAPTCHA to my form to prevent bots.
I go to the Mailchimp -> Settings -> List name and campaign defaults and I saw the checkbox for reCAPTCHA enabling as below.
Mailchimp Enabling reCAPTCHA
I enabled it. The problem is that I cannot see reCAPTCHA box on the form. And I tested with several fake data and
the result is everything worked well as before.
Could anybody help me? Where am I wrong?
We started getting spam signups as well. It turns out the reason for that is that Mailchimp turned off double opt-in a few weeks ago. So I turned it back on and the spam signups stopped.
I would rather use reCaptcha than double opt-in but like you cannot get reCaptcha to work.

How can I test the case where invisible Recaptcha detects a suspicious user?

I plan to use Google's invisible recaptcha to make sure bots don't sign up on my website. I think I followed all the instructions, but I want to test it to make sure it works and see how it looks. But I'm a human, so it just lets me click with no problems. Is there a way to make the invisible recaptcha think I'm a bot so I can test that experience on my site?
Try accessing your website through Tor. If you try using Google Search through Tor it will continuously offer you a reCAPTCHA, because bots are often using the IP addresses associated with Tor and Google knows this. I imagine it will work for your website as well.

Resources