Ever had to click through a grid full of images or decipher barely legible words just to prove to a website that you’re human? You may not have to ever again. Google has unveiled major changes to its reCAPTCHA tests.
Google had a lofty goal for version 3 of the technology it acquired from Carnegie Mellon almost a decade ago. The company wanted to make the reCAPTCHA process “frictionless.” No more images to click. No more scribblings to decode. Not even a box to check.
The new reCAPTCHA is now here, and Google has accomplished its goal. The test is completely invisible to users.
When you land on a website that’s using reCAPTCHA v3 you won’t even know your humanity is being verified. Everything happens silently in the background. Only the site your visiting and Google’s reCAPTCHA servers are aware that anything is going on.
How can Google determine that you’re a person and not a bot without making you do anything?
Because you’ve already done plenty in your browser. All Google has to do is analyze what you’ve already done.
Instead of inserting Google’s reCAPTCHA code on a single page, webmasters are advised to add it to several pages. That allows Google to more accurately track a visitor’s behavior — and ultimately make the call whether someone is an ordinary user or an attacker looking to compromise the site.
Google calls this background testing “adaptive risk analysis.” Each site visitor is given a test score and it’s up to the site to decide what happens after that. Low scores (suspicious users) can be forced to take additional tests. Those might include old-school reCAPTCHA challenges or entering a verification code sent via text message.
Users who receive higher scores are believed to be legit and can go about their business without interruption.
As the ThreatPost blog points out, reCAPTCHA v3 will make it much harder for scripts and bots to fool and abuse websites. A single test on a single page might be easy enough to defeat, but beating multiple tests across a website will prove much, much harder.
reCAPTCHA v3 could lead to a significant drop in comment spam, and that’s good news for all of us.
All of us who aren’t running disinformation campaigns, anyway.
This article originally appeared on Forbes