How does Google reCAPTCHA v2 work behind the scenes?

everlasto picture everlasto · Dec 4, 2014 · Viewed 131.7k times · Source

This post refers to Google ReCaptcha v2 (not the latest version)

Recently Google introduced a simplified "captcha" verification system (video) that enables users to pass the "captcha" just by clicking on it.

But how can it differentiate a bot from a person just by a click?

As per this answer, (assuming a similar implementation), at first "recaptcha" generates a hidden key and attaches it to a hidden input element and also lazily renders a check box (not an actual check box input but a div) with the same key which when clicked, sends an asynchronous request (XHR) to the Google backend servers to mark it as a valid verification key (i.e. a key that has to be validated when the form is submitted).

But why can't bots automate that click (at least, browser-based bots)?

How might this work?

Answer

AgmLauncher picture AgmLauncher · Dec 4, 2014

This is speculation, but based on Google's reference to the "risk analysis engine" they use (http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html)

I would assume it looks at how you behaved prior to clicking, how your cursor moved on its way to the check (organic path/acceleration), which part of the checkbox was clicked (random places, or dead on center every time), browser fingerprint, Google cookies & contents, click location history tied to your fingerprint or account if it detects one etc.

It's fairly difficult to fake "organic" behavior in such a way that it would fool a continuously learning pattern detection engine. In the cases where it's not sure, it still prompts you to match an actual CAPTCHA string.