Should I use ReCAPTCHA v2 or v3?
While the other answer describes the different types of reCAPTCHA that Google has, it does not address what I think may be the real issues. As I was wondering about this myself, I came across this article. I summarize what I think is relevant:
According to tech statistics website Built With, more than 650,000 websites are already using reCaptcha v3; overall, there are at least 4.5 million websites use reCaptcha, including 25% of the top 10,000 sites. (as the 27th of June, 2019)
The data is changing quickly, right now some 2,602,509 sites seem to be using v3.
Also relevant, v3 works better if its code is installed in all web pages of a site. This means less user privacy. Although Google states that:
reCaptcha’s API sends hardware and software information, including device and application data, back to Google for analysis, and that the service is only used to fight spam and abuse.
So:
- Google reCAPTCHA v3 is easier for the users, but as more sites use v3, more will be the information that Google has about them, as tracking a user across sites that use v3 is technically possible.
- Google reCAPTCHA v2 takes more work for the user, but seems to be less intrusive regarding privacy.
- v3 seems to be gaining momentum quickly.
- Google seems committed to maintain both v2 and v3 in the future.
Regarding safety, I can tell from experience that v2 does not stop all spam. This is probably due to spammers using CAPTCHA farms (real people solving the bot's problems.) I don't have that much experience with v3.
So IMHO, I would go for v3 (already widely adopted) unless maximum user privacy is a must. But if you are using Google Analytics to measure a site's traffic, using v2 for added privacy may be irrelevant.
Any comment regarding safety of v3 from a trusted source or site experience will be appreciated!
v3 allows you to verify if an interaction is legitimate with no user interaction. It is a pure JavaScript that compiles a score, giving you the ability to take other actions like requiring additional factors of authentication.
v2 comes in 2 versions
"I'm not a robot" Checkbox - requires the user to click a checkbox indicating the user is not a robot. This will either pass the user immediately (with No CAPTCHA) or challenge them to validate whether or not they are human.
The invisible reCAPTCHA badge - does not require the user to click on a checkbox, instead it is invoked directly when the user clicks on an existing button on your site or can be invoked via a JavaScript API call. The integration requires a JavaScript callback when reCAPTCHA verification is complete. By default only the most suspicious traffic will be prompted to solve a captcha.
Which one is best for you will be depending on the nature of your website. For a general use site, I'd certainly use v3 as it minimizes the interruption of users with challenges.