Many businesses have long relied on reCAPTCHA to stop malicious bot traffic. However in recent years as bots have advanced, reCAPTCHA has not evolved in kind and it is easily bypassed by even basic, off-the-shelf automated programs. In an attempt to upgrade its solution, Google launched its latest version, reCAPTCHA v3 which also for the first time also has a commercial component, known as reCAPTCHA Enterprise. While this version is meant to protect large companies from bot attacks, it unfortunately still has many flaws. Here are the top 5 limitations of reCAPTCHA Enterprise.
-
Too Many False Positives
Good users are often classified as suspicious by reCAPTCHA and forced to go through onerous friction to authenticate themselves. This is largely due to it being heavily dependent on the use of Google cookies. That means if you are a Chrome user, or are logged into a Google account such as Gmail, Google knows much more about you and how “suspicious” your web activity is. However, if you use another web browser, are not a Google user, or utilize a VPN for privacy purposes, you will most likely be flagged as suspicious by reCAPTCHA Enterprise.
-
Susceptible to Advanced Bots
Image recognition software has gotten so advanced that it can easily solve most reCAPTCHAs with little difficulty. And it’s easy to get a hold of software to do just that; a simple web search for bots that solve reCAPTCHA turns up dozens of results, some of which offer access to automated scripts for as little as $20/year. In 2022, it is both easy and inexpensive for attackers to buy bots from various marketplaces that easily solve reCAPTCHAs in seconds.
-
Pricing Model
One of the advantages of reCAPTCHA had been the fact it was free. But reCAPTCHA enterprise is not free, and it is difficult for businesses to justify the ROI of implementing this solution. reCAPTCHA Enterprise charges businesses after the first 1 million assessments per month. This can become very costly for organizations that have large traffic volumes, such as e-commerce sites, gaming platforms, and digital banking apps. And it still does not provide robust protection against sophisticated attacks. If businesses are going to spend money on an anti-bot solution, they might as well spend it on a solution that effectively stops attacks.
-
Still the Same Challenge
reCAPTCHA Enterprise claims to work invisibly and show less of the onerous challenges that consumers have grown to loathe. But if it returns a risk score that indicates potentially suspicious traffic, what are the options for website admins that use reCAPTCHA Enterprise?
They must test that traffic with the same, old tile-based reCAPTCHA that is easily defeated by bots and frustrates good users. This is especially onerous due to the high rate of false positives reCAPTCHA Enterprise has, as noted above. Barring using the old reCaptcha challenge, businesses can create their own or invest in another challenge-response mechanism, which adds additional time and cost.
-
Data Privacy
reCAPTCHA Enterprise collects many different data points on users in order to make its risk decisions. This is a problem because of the increase in consumer data privacy laws around the world. Data privacy has become a big issue, and many governments have regulations about how much and what type of user data businesses can collect. Using reCaptcha Enterprise means companies risk running afoul of such laws. Instead, they should seek a solution that collects the minimum amount of PII possible in its risk decisioning.