Form compatibility with reCAPTCHA v3

SanfordWhiteman
Level 10 - Community Moderator

Re: Form compatibility with reCAPTCHA v3

You don't need to re-include the standard embed code, no.

Steve_Schimmel
Level 3

Re: Form compatibility with reCAPTCHA v3

Thanks so much!

One last question – do you have any insight into how exactly V3 works? I am used to seeing the bridges and fire hydrants that need to be selected, but V3 seems to recognize spam without requiring user participation. I assume they must do this by recognizing IP addresses likely to be bots?

If that is the case, do you know what happens when someone that Google identifies as spam tries to fill out the form? Does the recaptcha V3 prevent them from filling out the form, or does it send some value through the form telling me that this is likely a spam bot?

Thanks, I am trying to do some research myself but haven’t found what I am looking for. The best explanation I found is this https://codeforgeek.com/google-recaptcha-v3-tutorial/ saying that the form wont be able to be filled out, but just wanted to confirm that is your understanding as well.

As always, thanks!

Steve

Steve Schimmel | Marketing Automation Expert | Sony Electronics Inc. | Professional Solutions Americas | P 201-930-7124 | C 201-312-4505 | stephen.schimmel@am.sony.com<mailto:stephen.schimmel@am.sony.com>

Please consider the environment before printing this email.

<https://pro.sony.com/bbsc/ssr/show-mobileapp/resource.solutions.bbsccms-assets-show-mobileapp-mobileappdownload.shtml?PID=I:hp_bottom_carousel:Mobile_App>

SanfordWhiteman
Level 10 - Community Moderator

Re: Form compatibility with reCAPTCHA v3

reCAPTCHA (all versions) never stops a form from being so submitted by an attacker. The idea is that the non-human quality of the form post is detected on the server, based on the "fingerprint" taken by the reCAPTCHA JS library.

You need to wait for the fingerprint to be generated, but under no circumstances do you know *on the client* whether the fingerprint is legit or not. That gets checked on the server.

reCAPTCHA v3 takes the fingerprint beyond just Boolean non-human/human and generates a numeric certainty value instead (between 0 and 1). You decide on the server what your threshold will be, based on characteristics of your users (usu. the question is whether 0.6 and 0.7 are rounded down to non-human).