This week, Google announced its next generation of bot-detecting API: reCAPTCHA v3. In v1, users read distorted text, and confirmed the digits to prove human status. In v2, Google introduced additional signals that humans had to use to prove they weren't a bot. Now, v3 provides a score to the site owner, who can then respond based on the threat level.
Google builds the score based on how a user interacts with a site. In other words, their is no single CAPTCHA event that makes the bot/human determination. Because the score becomes more accurate as the user interacts with the site, Google suggests integrating v3 on multiple pages within your site.
The key addition to reCAPTCHA v3 is the Action concept. An Action is a tag that a developer can use to define user steps through his or her interaction with a site. This helps a developer make risk determinations with context particular to the developer's site. Within the reCAPTCHA admin console, developers can view an entire score distribution and a breakdown of the top 10 Actions taken on a particular site. This helps identify specific elements and pages attacked by bots.
Developers can use the score in three ways. First, developers can set a threshold (i.e. when a user hits a specific score, further verification is required). Second, developers can combine a score with specific user history and profiles. Finally, developers can use the score as a signal to train machine learning technology to automatically prevent bot activity.