118 comments

[ 2.9 ms ] story [ 104 ms ] thread
Google clearly wants only Google approved models to traverse the web.
They only want dumb humans doing the shopping not some hyper-focused bot that wont add any extra items into the shopping cart.
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
Does anybody trust it? MacOS seems to be the only desktop platform I see be trusted.
Im in the community reverse engineering web CAPTCHAs, it's because they are too easy to reverse engineer with Claude now.

I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.

Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.

I think the pathetic thing about this is that it’s so much less intuitive than stuff like cloudflare and Anubis.

Google, a multi-billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.

Meanwhile, when Cloudflare/Anubis verifies you there’s zero required interaction and you barely even see the anime character because it all loads so fast. At most Cloudflare makes you check a box.

The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
Just show us your face and transactions history, it's about the kids.
Google building harder walls against bots while simultaneously building AI agents that need to get through them is peak 2026.
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
Why can't an AI scan the QR code? Just fire up an emulator if necessary
The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652

So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.

No mention of device integrity verification yet, but the writing is on the wall.

(comment deleted)
> but the writing is on the wall.

Only if politicians are still corrupt and law enforcement doesn't work.

Which means the writing is on the wall.

I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.

I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.

yeah. webpages now load so slow just because i have to wait for the captcha
im so sick of this bs, im not even going to use the internet nemore, theres plenty of better things i can do with my time, as you can see i dont post much, im primarily a web dev, so ya i know its a prob, but tbf i really do not care, quit hijacking 10 sec of my time with an ad for every website i visit. maybe if they clamped down on foriegen countries using us web space, this would be less of an issue.
Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?

This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.

No surprises here, though of course disappointment when it comes to fruition.
And you must be signed in.

I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.

"As part of our mission to enable a safe agentic web" drew an immediate swear from me.

What's happened here is yet another massive negative externality from AI. Because AI is such a fraud enabler, Google are now using that as an opportunity to end the open internet and competition in operating systems.

I'd much rather go the other way and make the AI wear identification. Crack down on both corporate and unlicensed AIs.

Edit: and of course it's also advertising killing the web, because the fraud in question is ad fraud. Need to force it into human eyeballs, not bots.

Yep.

I learned yesterday you can’t sign in to Cursor on Brave Browser. Had to switch to Safari. This is only going to become more and more common.

Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.

Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.

How are people stopping bots reliably?
You can't, really. If a user can access the site, so can a bot.

You may be able to make it more expensive than your information is worth, but of course that affects users too.

Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.
The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.
I’m trying to use my phone less and less. Ideally I’d like to even switch a dumb phone.

But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.

Human verification via QR code does not mitigate labor farms.
It is not meant to.
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
Can I confirm that this is more shit from Google trying to lock people into their ecosystem (or Apples) under the guise security?
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
This would not have ever been announced while Lina Khan was running the FCC.
The QR code feature looks like it could be spoofed to become a Pegasus deployment method once people get used to them.
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
"This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable."

Oh, you sweet, summer child.

Don't worry. That's the lie they are using to get what they really want.
just how evil can google be?
Just wait and see.
Serious question: what if you don’t have a (smart)phone?
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?

It seems on iOS you'll even need to download an application, which is quite a bit of friction.

In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.

Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.

I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.