As part of the next XMB version in development, I made changes to help with the new pricing structure of Google's reCAPTCHA service.

In our original implementation, the captcha was displayed as soon as anyone visits the registration page. This causes unwanted traffic between bots and the Google API.

Going forward, there will be an introduction page for registration. This means the reCAPTCHA gets pushed back to the 2nd page and won't be visited by bots quite so frequently.

There is also a future change regarding keys "to be migrated to a Google Cloud projected by the end of 2025." It is my next priority to learn how that affects us here.

What I've learned so far is that it's not just about the keys. I migrated one of the 2 keys used here and that transition is seamless.

After that, there are a bunch of steps for actually switching APIs from the "siteverify" to the "enterprise" version. Here's how that might go:

https://cloud.google.com/recaptcha/docs/using-features

The reCAPTCHA keys will have to be traded for Google Cloud API keys. Of course, there's a whole new way of doing things behind the scenes too:

https://cloud.google.com/recaptcha/docs/create-assessment-we...

Here is the old API reference:

https://developers.google.com/recaptcha/docs/display

So this looks like a need for more settings, a way to switch between the two API implementations, and a lot of testing after it's ready.

Also consider an alternative, https://www.cloudflare.com/application-services/products/tur...

I'd rather avoid captchas altogether, they just annoy people while doing little to actually prevent spammers.

My proposal is to go for some user-configurable Q&A,. Then again, good luck educating admins to bother setting it up properly so it's both accessible enough for users and not too easy for spammers. (

I remember setting up a phpbb board over 4 years ago that I've long since left, and there was a 'sortable q&a' feature that had minimal JS and made you put different things into different boxes:



I think there's maybe been one spam account that registered in the whole time of its existence, and while it's... obnoxiously opinionated, to say the least, it works for the purpose of that specific forum.

In other words, configure something like this correctly, and you've got yourself something that works with minimal JS and tracking things - therefore works even under 'strained conditions'. You could expand on the idea a bit more than phpbb did which I think only allows for the one question - as long as the suggested defaults are strong I think admins should be okay

If there's an open source solution that you know about, that's possible. This isn't a wheel that we should try to reinvent.

I saw a site today using this one:

https://www.hcaptcha.com/

These different vendors have interesting free features. I'm just not sure yet if we need to support more than one.

Quote: Originally posted by miqrogroove

I saw a site today using this one: https://www.hcaptcha.com/ These different vendors have interesting free features. I'm just not sure yet if we need to support more than one.

I've seen numerous sites using that one. Might be worth adding since it's probably the one I encounter most after reCAPTCHA, and it seems to have especially come about ever since the changes to the API.

I'm reading more about these and have some new thoughts:

reCAPTCHA doesn't specifically require a migration to the new API. What they are really going to require is a new pricing structure. So I'm seeing a need to install the alpha version of XMB and find out if those updates will cut the reCAPTCHA traffic counts to an affordable level. If not, I would be inclined to move away from Google on this feature rather than implement a new API.

Cloudflare seems more committed to offering a free tier and eliminating user puzzles. This is my fallback plan.

hCaptcha is a little weird in the details. They offer a free tier, but they want $140 per month for passive verification. This puts them at a huge disadvantage.