Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That is not entirely true. If your threshold is low then it appears and you get accessibility issue. Not to mention tracking hell of out the users.


You’re confusing multiple badly named products by Google. You’re thinking of Invisible reCAPTCHA rather than reCAPTCHA v3.

reCAPTCHA v2 is the “I’m not a robot” checkbox widget followed by challenges if Google doesn’t like you.

Invisible reCAPTCHA is reCAPTCHA v2 but the site initiates verification instead of the user being given an “I’m not a robot” checkbox widget to click; but if Google doesn’t like you, it’ll still trap you in the purgatory¹ of puzzle solving. Site operators can then blame Google, for all the good that does. “Invisible reCAPTCHA” is a bad name for the product, because it’s not invisible.

reCAPTCHA v3 never presents a challenge for you to solve, but decides a score (in practice, I’ve only seen 0.1, 0.3, 0.7 and 0.9) where higher means Google’s feeling more friendly towards you, and it’s up to the site operator to decide what to do with that score—whether to simply deny access to people that Google doesn’t like (catastrophically bad and widely illegal, as it blocks legitimate users with no recourse) or to do something else. But now the liability for blocking real people is clearly with the site operator and not Google. But of course far too many people will ignore Google’s “don’t gate on this alone” direction and just see the higher version number and assume it must be better than reCAPTCHA v2. “reCAPTCHA v3” is a bad name for the product because it’s not a CAPTCHA, as there’s no challenge; it’s straight fraud detection.

¹ Some hold it’s hell, rather than purgatory.


such a mess.

As @j3th9n mentioned, reCAPTCHA v3 does have challenge and you can invoke it based on a score.

https://developers.google.com/recaptcha/docs/v3#programmatic...


They shouldn’t have called it a “challenge” there. It’s not a challenge; it’s just executing the verification function. Chalk up another one for harmfully incorrect terminology. (Admittedly “verification” is also an overloaded term, as it gives you a token which your backend subsequently needs to verify.)

(As they confirm near the start of the document, “reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion.”)


It doesn't appear automatically, it's programmable [1], you as a developer decide what to do with a low score, you could ask for extra verification for example. I agree with the tracking and privacy issues with ReCAPTCHA.

[1] https://developers.google.com/recaptcha/docs/v3#programmatic...


Thanks for the link. I didn't know the developer could prevent reCAPTCHA from appearing.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: