> No mention of device integrity verification yet

If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.

E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245

(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)

In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.

This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.

[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974

This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.

Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.

I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.

I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.

I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.

I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.

... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.

I know, people will slavishly knuckle under, but let me dream for a few minutes.

Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?

This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.

> but the writing is on the wall.

Only if politicians are still corrupt and law enforcement doesn't work.

Which means the writing is on the wall.

I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.

I will stop using those websites altogether.

You know, its funny, I don't think I've ever seen captcha on HN once.

Well, internet is dead anyway so they can keep the keys to the kingdom. I frankly do not care anymore. The meek shall inherit the Earth

But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.

Not that I like this thing at all. But using a QR isn’t exactly why it sucks.

Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.

You would not last long in China ;)

(you pay by scanning QR code in .. well, everywhere)

Many sit-in restaurants enforce QR codes ordering. Started during covid, but keeps happening, especially outside US in my experience.

Where are those ‘mark of the beast’ cranks when you need them?

It's coming.

The Poshmark morons demanded government id to buy a $35 shirt. On an established account, an address that matched my credit card, etc.

The only answer is delete your account.

Im in the community reverse engineering web CAPTCHAs, it's because they are too easy to reverse engineer with Claude now.

I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.

Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.

Where is this specified? I don't see that in TFA.

Does anybody trust it? MacOS seems to be the only desktop platform I see be trusted.

That means you're a peasant, and don't matter. Don't worry, they'll work with telecoms and carriers to ensure devices matching your budget are subsidized and made available at every possible opportunity.

Then you have already have not been very present in the analytical data that these business decisions are based on.

I shuddered when I realized that Google would require (smart)phones for recaptcha.

I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)

Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.

I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).

I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.

Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1

I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.

and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)

But this just takes it to an extremely completely next level. I can't stress how bad this all is.

Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.

With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.

Go fuck yourself?

I mean, that seems to be the general societal attitude.

And you'll need to buy new ones because many things are app only, or are migrating that way (including being able to travel to certain countries)

Scan QR code -- you don't have our "captcha app" installed, automatically redirect to Play store -- download malware because Google Play's horrible screening -- profit

I must not be the first one to think of this, right?

Right???

Overall it’s a reason to sigh deeply and thank our fellow “visionary leaders” for making everything that little bit worse. At least we’re getting an AI paradise out of the deal right?

Right?

Which means, it's urgent that more and more people realize there are alternative to the everything-on-the-phone situation they live in. And that owning one is not mandatory and should not be (by the way, politicians should also wake up).

They only want dumb humans doing the shopping not some hyper-focused bot that wont add any extra items into the shopping cart.

The app that scans the code talks to the TPM in your phone to prove that your phone is running an unmodified Google OS.

Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.

It's hard to say which one is more maddening annoying

From one egg basket to another; both are flawed in design.

You don’t need to. As long as the dumb majority goes along with it, your options are to capitulate or get locked out of society.

Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).

But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.

Just show us your face and transactions history, it's about the kids.

No. Just more rejection and labelled as a terrorist.

The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.

You can't, really. If a user can access the site, so can a bot.

You may be able to make it more expensive than your information is worth, but of course that affects users too.

Perfectly: They're not; that's not really possible.

Adequately: Proof of work. https://anubis.techaro.lol/

Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.

They're expecting everyone to whitelist Google agents because Google has the market share for people to complain if Google agents don't work.

It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.

Point On! Probably done by two different teams, who don't know about each other. I hate this (re)captcha so bad. They assume everyone is bad.

With the apparent competence that built Gemini, I have zero faith in Google building or doing anything that works anymore.

++1

Does reCAPTCHA ever claim to detect or block labor farms? From its old name it just seems to block bots only. (Bots are nowadays called agents.)

I imagine again a worldwide search for the cheapest labor. Mechanical Turk on steroids.

Lina Khan never ran the FCC. She also had no business running the FTC, but turns out that "The Common Law Origins of the Infield Fly Rule" was the last law review article anyone actually read and you can write complete garbage and end up running an administrative agency and lose a lot of frivolous attempts at regulation. As long as you went to an Ivy.

What does the FCC have to do with this?