On Wednesday, Google announced that many of its new “Captchas”—the squiggled text tests designed to weed out automated spambots—will be reduced to nothing more than a single checkbox next to the statement “I’m not a robot.” No more typing in distorted words or numbers; Google says it can, in many cases, tell the difference between a person or an automated program simply by tracking clues that don’t involve any user interaction. The giveaways that separate man and machine can be as subtle as how he or she (or it) moves a mouse in the moments before that single click.
“For most users, this dramatically simplifies the experience,” says Vinay Shet, the product manager for Google’s Captcha team. “They basically get a free pass. You can solve the catptcha without having to solve it.”
Google's new captcha, which requires only a click in a checkbox.
Instead of depending upon the traditional distorted word test, Google’s “reCaptcha” examines cues every user unwittingly provides: IP addresses and cookies provide evidence that the user is the same friendly human Google remembers from elsewhere on the Web. And Shet says even the tiny movements a user’s mouse makes as it hovers and approaches a checkbox can help reveal an automated bot.
“All of this gives us a model of how a human behaves,” says Shet. “It’s a whole bag of cues that make this hard to spoof for a bot.” He adds that Google also will use other variables that it is keeping secret—revealing them, he says, would help botmasters improve their software and undermine Google’s filters.
In cases where a mere click doesn’t produce a conclusive response, a pop-up window will require users to decipher the same old distorted text. In tests during the past week on sites that use Google’s captcha, however, it’s verified most human users without that backup. About 60 percent of WordPress users and 80 percent of users at video game sales site Humble Bundle got past the captcha with only the checkbox.