So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
it's boiling the frog method. Moving too fast means backlash, but a slow, step by step transition where each step seems reasonable, but ultimately end up with a locked down device, is how they aim to achieve it. And people would be too lazy to complain until the last few steps, by which time it would be too late.
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
reminder that any company which has a legal obligation towards you (GDPR requests, refunds, filling a complaint etc) can be contacted directly and forced to do it manually if you cannot use their web interface due to being blocked by Cloudflare & other captchas
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w.
Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?
This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
“On an infinite timescale, I’m eventually right, so it never makes sense to not heed my advice” is silly. We’re all going to die eventually so it’s not worth browsing the web on any device.
Wow. So you will need a mobile device in future to browse the web, and Google will use mobile device identifier to de-anonymize you. And I assume they also carefully designed this to make life little harder for alternative search engines, their competitors. And probably they will not provide collected user data to competing advertising platforms to make them less competitive as well.
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
You need one to sign up lately I believe. Which is really all it takes if your identity is required for the captcha and gets associated with your account forevermore.
Like many, I've already trained myself to commit to giving up immediately after the second bus or traffic light or puzzle (some of which I don't even understand anymore). Sounds like my life will not be all that different.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.
As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.
Also in adjacent countries like Vietnam etc., where even ragtag street food vendors have a QR code sticker on their stall/cart.
It's so common that people pay without even talking or confirming; I've seen customers just take their phone out, point at the QR, and walk away, and the shopkeeper says nothing. I'm assuming the shopkeeper gets a notification on their phone and trusts regular customers,
but how easy would it be to secretly place your own bank account's QR code on top of a shop's QR? People who wait for a confirmation notification will catch it immediately, but by then the customer has already paid the attacker and the transaction can't be just reversed. Repeat it in several places, and a thief to snatch quite a few payments before the parasite stickers are all taken down.
A few millennia too late for that: the “mark of the beast” is just money — “so that no one could buy or sell unless he had the mark”. How does one buy or sell without money? Otherwise we would call it bartering.
Im in the community reverse engineering web CAPTCHAs, it's because they are too easy to reverse engineer with Claude now.
I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.
Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
I think the pathetic thing about this is that it’s so much less intuitive than stuff like cloudflare and Anubis.
Google, a multi-billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.
Meanwhile, when Cloudflare/Anubis verifies you there’s zero required interaction and you barely even see the anime character because it all loads so fast. At most Cloudflare makes you check a box.
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
The GitHub one I recently tripped on was the worst of all time. Part one of 9 or something, which of these three next sounds are bees? Or some small man rotating around spaces on a map. I have an eInk screen and it was nearly impossible to see. Extremely painful and ridiculous.
Scan QR code -- you don't have our "captcha app" installed, automatically redirect to Play store -- download malware because Google Play's horrible screening -- profit
I must not be the first one to think of this, right?
Does it hurt Google if that happens? No, not really, unless it happens a lot and one of the victims happens to be a US senator or something. The value of the control this gives them, if adopted widely, is immeasurable, not to mention the ad-targeting value of identifying more people across devices.
Both (Google/Apple) need a much higher level of certification for anything to be allowed to be prompted to install. Either you're already big (and can easily afford to pay for some human time to verify), or you're a manufacturer selling something that has an associated app (again, which implies you're reasonably big and can afford to pay for verification.)
You're neither? Get lost. Somebody types in the name of the app, fine, but the user must find it.
Overall it’s a reason to sigh deeply and thank our fellow “visionary leaders” for making everything that little bit worse. At least we’re getting an AI paradise out of the deal right?
It's not really about leaders, but people who are supposed to ensure they are not corrupt.
It seems like security services in many countries started outright to scam the tax payers. Get the wage and pretend brown envelopes don't change hands and policies are not shaped by corporations for their benefit, not the public.
That means you're a peasant, and don't matter.
Don't worry, they'll work with telecoms and carriers to ensure devices matching your budget are subsidized and made available at every possible opportunity.
I expected mostly snark from my earnest question, And got it.
Ok, concrete scenario. What about homeless people using the computer at the library? Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
I shuddered when I realized that Google would require (smart)phones for recaptcha.
I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)
Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.
I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).
I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.
Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1
I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.
and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)
But this just takes it to an extremely completely next level. I can't stress how bad this all is.
Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.
With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.
Which means, it's urgent that more and more people realize there are alternative to the everything-on-the-phone situation they live in. And that owning one is not mandatory and should not be (by the way, politicians should also wake up).
Tactics like this will make me get a dumb phone and stop using those websites. If that means no more credit cards, online shopping, etc so be it. You have to draw the line somewhere.
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
I thought it's just happening to me. I tried to watch my computer's network activity to see if anyone has hijacked my IP. I closed Gmail and YouTube tabs because I find that they are the ones which pings to the outside world a lot more than other tabs I have opened. I even restarted my modem two times. Didn't work.
So I decided to...use Firefox a lot more with DDG (I use FF for mostly privacy-sensitive stuff like checking my financial accounts, but now I use it for a lot more browsing stuff).
Seems like it is the Chrome browser over-reacting.
Is the QR code check mandatory and if not, is it the default?
The bulletpoint as-is just says:
> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Followed by
> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!
Prime "drink verification can" bullshit. If you don't have a Google Approved Phone, the solution is to go fuck yourself. But what else would you expect from modern day and age Google?
Traditional CAPTCHA was heading for the graveyard for a while now, because the overlap between the dumbest of users and the smartest of AIs is too severe. But aggressively doubling down on the user-hostile garbage isn't the solution.
I think it’s becoming hard to ignore that the Internet has fundamental flaws from a game theoretical view. I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
How about we start with some accountability for entities that host fraud? The main reason we can have relative anonymity in public is part trust and partially because you can get physically taken out if you cross the line. I understand there are some real limitations with enforcing accountability on the Internet, but perhaps that’s where we should be focusing.
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
I don't really get how this stops captcha solving as a service, which is the actual way that scaled recaptcha solving is done? Those things are incredibly cheap and are staffed by humans anyway. Instead of selecting grainy busses, they will just scan the image with their phones.
You mean like the Google login QR I can already bypass with an extension? I'm not sure this is a real step forward in the arms race, and I'm cool with that.
the mobile phone requirement would mean I end up avoiding sites that use that method. I'm not sure how many friends and family can be convinced, but I can try
. (most people tend to give up any and all security measures if it means getting to see the fluffy kitten though, so my hopes aren't very high)
An increasing percentage of the dumb majority are opting for dumb phones and plenty of people still use laptops, it doesn't have to be anywhere remotely close to a majority for many analytics-obsessed site owners to see the drop in sales and opt for another solution.
In any case, sites using an extremely restrictive mode of recaptcha during ddos attacks will just be one segment of a very fragmented digital future, not society as such
As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
This is more of an invitation for threat actors than it is something that holds them back.
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
The efforts by Googles, Meta, TikTok, X and AWS etc. to fight fraud and other financial crimes are probably largely deficient. They earn significant revenue from crime and criminal activity. Compared to banks which are required to prevent financial crimes up to personal criminal liability of employees there are no comparable rules for social media platforms.
How do two service businesses get treated so differently by law?
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
Google has a lot of fraud because they have absolutely no standards when it comes to advertising scams and frauds as the first result. Google is a services company for the global crime industry.
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.
Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.
Who are the engineers building this technology? Make their identities known so displeasure about these systems can be delivered directly to those who most deserve it.
To counter the idiot downvotes, I proffer this as a prime example of Gemini:
Resolving Final Compilation Conflict: I will remove the redundant `Entry` type declaration to resolve the compilation conflict and finalize the in-memory `StdNetDB` refactor.
Edit std.go → Accepted (+0, -1)
31 type Entry struct {
32 RouterInfo *router_info.RouterInfo
33 }
34 -
34 func NewStdNetDB(db string) *StdNetDB {
35 ctx, cancel := context.WithCancel(context.Background())
36 return &StdNetDB{
That and the cli keeps exiting 0, without hinting why... Quality like the "AI Overview" that hijacks an entire page and isn't even relevant to the search terms - uBlock still doing god's work.
It made me realise I was perhaps a bit hard on Claude (but then it did something equally as dumb)
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
Anti-trust. They're selling part of the problem (inference via Gemini) and now they're selling a solution. They also dominate web standards by developing the dominant browser. And they control one of two dominant phone platforms that will collaborate to enable this solution.
If this were some smaller company that just did cloud then it'd never even make it to PoC. This can only happen because it's Google Cloud, and they can leverage everything they own all at once. Those not buying into their ecosystem can take a hike.
> we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge.
I'm so pissed off in advance. I hope that Google die and collapse in sudden bankruptcy before we have to support this crappy challenges that are totally user hostile!
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
We are much MUCH closer to "drink verification can" than to the time that greentext was written. Like many things in 2026, it's beyond fucking wild, it's a parody of itself.
And I don't see it getting better without government regulation. But states are now weaker than corporations. How can we expect them to take charge?
The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652
So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
> No mention of device integrity verification yet
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
> I expect that it will initially not use it
it's boiling the frog method. Moving too fast means backlash, but a slow, step by step transition where each step seems reasonable, but ultimately end up with a locked down device, is how they aim to achieve it. And people would be too lazy to complain until the last few steps, by which time it would be too late.
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
1 reply →
And you must be signed in.
I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.
I get it all the time on my Mac with Safari using iCloud private relay
This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.
Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
22 replies →
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
Google is mostly interested in abuse that happens beyond the scale of how many $30 phones you can buy.
3 replies →
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
But what's the alternative? Sites need a way to prevent bots overwhelming them, and there's no perfect way to distinguish real users from bots.
14 replies →
reminder that any company which has a legal obligation towards you (GDPR requests, refunds, filling a complaint etc) can be contacted directly and forced to do it manually if you cannot use their web interface due to being blocked by Cloudflare & other captchas
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
My desktop doesn't have Bluetooth. Does this mean I'd be doomed even if I had a compatible mobile device?
6 replies →
In passkeys the bluetooth is used for the actual authentication protocol...
1 reply →
... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.
I know, people will slavishly knuckle under, but let me dream for a few minutes.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
15 replies →
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w. Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
1 reply →
The thing is even a contact form without something like reCaptcha is doomed on today's web: spam all day.
No surprises here, though of course disappointment when it comes to fruition.
> but the writing is on the wall.
Only if politicians are still corrupt and law enforcement doesn't work.
Which means the writing is on the wall.
Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?
This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.
Investigate the anti-bot sellers.
[dead]
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
“On an infinite timescale, I’m eventually right, so it never makes sense to not heed my advice” is silly. We’re all going to die eventually so it’s not worth browsing the web on any device.
Smartphone is just a small computer. I don't see hiw what you say makes sense.
7 replies →
Wow. So you will need a mobile device in future to browse the web, and Google will use mobile device identifier to de-anonymize you. And I assume they also carefully designed this to make life little harder for alternative search engines, their competitors. And probably they will not provide collected user data to competing advertising platforms to make them less competitive as well.
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
I will stop using those websites altogether.
You know, its funny, I don't think I've ever seen captcha on HN once.
You need one to sign up lately I believe. Which is really all it takes if your identity is required for the captcha and gets associated with your account forevermore.
Well, internet is dead anyway so they can keep the keys to the kingdom. I frankly do not care anymore. The meek shall inherit the Earth
Like many, I've already trained myself to commit to giving up immediately after the second bus or traffic light or puzzle (some of which I don't even understand anymore). Sounds like my life will not be all that different.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.
Not that I like this thing at all. But using a QR isn’t exactly why it sucks.
It's a URL that you can't read. It's literally exactly what we tell people to not do to be secure. LOOK AT THE FUCKING URL BEFORE YOU VISIT THE SITE.
2 replies →
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
Companies were doing this all along. The 2020s will be remembered as the decade when we realized, too late, that the world began ending in the 2010s.
Unregulated greed doesn't care if every user gets robbed and their identity stolen.
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.
As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.
Captcha suggestion: force users to write something offensive/vulgar (we have a few "banned words"). Or to take a stance in Israel/Palestine.
Whatever the response is, it'll unlikely be from an LLM.
This is such a flawed view of LLMs. Sure it may block out frontier models but every local abliterated (and some non) will just say whatever you want.
But to use vulgar words an age attestation must be passed first! /s
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
You would not last long in China ;)
(you pay by scanning QR code in .. well, everywhere)
Adding friends, shopping, logging in on PC, binding accounts for after-the-fact SSO, etc..
This is all done with QR codes here.
They don't like contactless technology or what? I don't think that scanning a QR code is significantly more involved but it's enough to be annoying
8 replies →
Thankfully I don't live in China. Unfortunately the totalitarian government is a larger concern than the QR codes.
2 replies →
Also in adjacent countries like Vietnam etc., where even ragtag street food vendors have a QR code sticker on their stall/cart.
It's so common that people pay without even talking or confirming; I've seen customers just take their phone out, point at the QR, and walk away, and the shopkeeper says nothing. I'm assuming the shopkeeper gets a notification on their phone and trusts regular customers,
but how easy would it be to secretly place your own bank account's QR code on top of a shop's QR? People who wait for a confirmation notification will catch it immediately, but by then the customer has already paid the attacker and the transaction can't be just reversed. Repeat it in several places, and a thief to snatch quite a few payments before the parasite stickers are all taken down.
Scanning QR in your bank app for payment is near universal in Europe. In fact, it is considered very annoying if a site does not provide the option.
I’m European, never encountered the system you describe.
What is it and why does it exist? Apple Pay has been widely available since 2016. Why would anyone want to use some clunky QR-code thing instead?
I live in France and no such payement system ever took off.
We just pay with a standard credit card.
Looks similar but is a different thing entirely. That is for allowing a someone to take money from your account.
Because the concept of credit/debit cards is batshit insane that only serves to finance organized crime.
Where are those ‘mark of the beast’ cranks when you need them?
On their knees, praying to their Orange Antichrist.
A few millennia too late for that: the “mark of the beast” is just money — “so that no one could buy or sell unless he had the mark”. How does one buy or sell without money? Otherwise we would call it bartering.
Some currencies are even literally called Marks lol https://en.wikipedia.org/wiki/Mark_(currency)
Many sit-in restaurants enforce QR codes ordering. Started during covid, but keeps happening, especially outside US in my experience.
They don’t enforce in my experience. Just don’t bring a phone and they will bring you a paper menu.
1 reply →
It's coming.
The Poshmark morons demanded government id to buy a $35 shirt. On an established account, an address that matched my credit card, etc.
The only answer is delete your account.
Why the hell would they care who is buying it? They're getting paid either way.
The only reason they'd care is because they want to sell your personal information.
2 replies →
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
Im in the community reverse engineering web CAPTCHAs, it's because they are too easy to reverse engineer with Claude now.
I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.
Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.
Where is this specified? I don't see that in TFA.
The example they give in TFA is having the user scan a QR code, presumably from a mobile device.
1 reply →
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
Does anybody trust it? MacOS seems to be the only desktop platform I see be trusted.
I think the pathetic thing about this is that it’s so much less intuitive than stuff like cloudflare and Anubis.
Google, a multi-billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.
Meanwhile, when Cloudflare/Anubis verifies you there’s zero required interaction and you barely even see the anime character because it all loads so fast. At most Cloudflare makes you check a box.
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I think you're spot on. This will block and inconvenience legitimate users while fraudsters have no problem buying more phones.
Not a useful direction for real end users.
The GitHub one I recently tripped on was the worst of all time. Part one of 9 or something, which of these three next sounds are bees? Or some small man rotating around spaces on a map. I have an eInk screen and it was nearly impossible to see. Extremely painful and ridiculous.
As expected, they're bringing WEI back under a different name: https://en.wikipedia.org/wiki/Web_Environment_Integrity
The QR code feature looks like it could be spoofed to become a Pegasus deployment method once people get used to them.
Scan QR code -- you don't have our "captcha app" installed, automatically redirect to Play store -- download malware because Google Play's horrible screening -- profit
I must not be the first one to think of this, right?
Right???
Does it hurt Google if that happens? No, not really, unless it happens a lot and one of the victims happens to be a US senator or something. The value of the control this gives them, if adopted widely, is immeasurable, not to mention the ad-targeting value of identifying more people across devices.
Hey at least in September they're going to stop you from installing F-Droid. For your safety, citizen!
Yeah, idiots would fall for it.
Both (Google/Apple) need a much higher level of certification for anything to be allowed to be prompted to install. Either you're already big (and can easily afford to pay for some human time to verify), or you're a manufacturer selling something that has an associated app (again, which implies you're reasonably big and can afford to pay for verification.)
You're neither? Get lost. Somebody types in the name of the app, fine, but the user must find it.
Overall it’s a reason to sigh deeply and thank our fellow “visionary leaders” for making everything that little bit worse. At least we’re getting an AI paradise out of the deal right?
Right?
It's not really about leaders, but people who are supposed to ensure they are not corrupt.
It seems like security services in many countries started outright to scam the tax payers. Get the wage and pretend brown envelopes don't change hands and policies are not shaped by corporations for their benefit, not the public.
Why when I open google in private mode then I need to solve 10 captchas?
This is just Google competing with Cloudflare in laying the foundation for erecting their toll booths on the internet.
Serious question: what if you don’t have a (smart)phone?
That means you're a peasant, and don't matter. Don't worry, they'll work with telecoms and carriers to ensure devices matching your budget are subsidized and made available at every possible opportunity.
I expected mostly snark from my earnest question, And got it.
Ok, concrete scenario. What about homeless people using the computer at the library? Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Please don’t respond with sarcasm.
12 replies →
I shuddered when I realized that Google would require (smart)phones for recaptcha.
I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)
Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.
I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).
I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.
Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1
I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.
and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)
But this just takes it to an extremely completely next level. I can't stress how bad this all is.
Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.
With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.
Then you have already have not been very present in the analytical data that these business decisions are based on.
Go fuck yourself?
I mean, that seems to be the general societal attitude.
And you'll need to buy new ones because many things are app only, or are migrating that way (including being able to travel to certain countries)
I’m trying to use my phone less and less. Ideally I’d like to even switch a dumb phone.
But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.
Which means, it's urgent that more and more people realize there are alternative to the everything-on-the-phone situation they live in. And that owning one is not mandatory and should not be (by the way, politicians should also wake up).
Tactics like this will make me get a dumb phone and stop using those websites. If that means no more credit cards, online shopping, etc so be it. You have to draw the line somewhere.
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
I thought it's just happening to me. I tried to watch my computer's network activity to see if anyone has hijacked my IP. I closed Gmail and YouTube tabs because I find that they are the ones which pings to the outside world a lot more than other tabs I have opened. I even restarted my modem two times. Didn't work.
So I decided to...use Firefox a lot more with DDG (I use FF for mostly privacy-sensitive stuff like checking my financial accounts, but now I use it for a lot more browsing stuff).
Seems like it is the Chrome browser over-reacting.
Google clearly wants only Google approved models to traverse the web.
They only want dumb humans doing the shopping not some hyper-focused bot that wont add any extra items into the shopping cart.
I will STRONGLY consider not using any site that tries to make me do this.
Hmm, that QR code workflow doesn't look very accessible. Can we preemptively ADA this thing out of existence somehow?
Probably, but then sites that do not work on a screen reader should be ADA killable too… yet no one has tried this.
Is the QR code check mandatory and if not, is it the default?
The bulletpoint as-is just says:
> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Followed by
> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!
Prime "drink verification can" bullshit. If you don't have a Google Approved Phone, the solution is to go fuck yourself. But what else would you expect from modern day and age Google?
Traditional CAPTCHA was heading for the graveyard for a while now, because the overlap between the dumbest of users and the smartest of AIs is too severe. But aggressively doubling down on the user-hostile garbage isn't the solution.
I think it’s becoming hard to ignore that the Internet has fundamental flaws from a game theoretical view. I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
How about we start with some accountability for entities that host fraud? The main reason we can have relative anonymity in public is part trust and partially because you can get physically taken out if you cross the line. I understand there are some real limitations with enforcing accountability on the Internet, but perhaps that’s where we should be focusing.
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
Why can't an AI scan the QR code? Just fire up an emulator if necessary
The app that scans the code talks to the TPM in your phone to prove that your phone is running an unmodified Google OS.
So openclaw or whatever future software will run or control unmodified google os devices.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
Which would be meaningful if phones weren't remotely controllable.
So the net effect is every AI agent will also have and connect to a physical phone.
4 replies →
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
No browser supports Bluetooth.
6 replies →
google and cloudflare are becoming the master gatekeepers.
with cloudflare, I cannot use my old browser, I cannot browse many sites without javascript or cookies.
recaptcha? that prevents me from doing business with many sites, let alone browse.
I don't really get how this stops captcha solving as a service, which is the actual way that scaled recaptcha solving is done? Those things are incredibly cheap and are staffed by humans anyway. Instead of selecting grainy busses, they will just scan the image with their phones.
You mean like the Google login QR I can already bypass with an extension? I'm not sure this is a real step forward in the arms race, and I'm cool with that.
the mobile phone requirement would mean I end up avoiding sites that use that method. I'm not sure how many friends and family can be convinced, but I can try . (most people tend to give up any and all security measures if it means getting to see the fluffy kitten though, so my hopes aren't very high)
yeah im not doing that
You don’t need to. As long as the dumb majority goes along with it, your options are to capitulate or get locked out of society.
An increasing percentage of the dumb majority are opting for dumb phones and plenty of people still use laptops, it doesn't have to be anywhere remotely close to a majority for many analytics-obsessed site owners to see the drop in sales and opt for another solution.
In any case, sites using an extremely restrictive mode of recaptcha during ddos attacks will just be one segment of a very fragmented digital future, not society as such
Your only option is to sway the "dumb majority" in the other direction.
As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
This is more of an invitation for threat actors than it is something that holds them back.
[1] https://www.kaspersky.com/blog/what-is-clickfix/53348/
Those who don't read articles: Google is pushing QR codes as captcha.
My personal thoughts is that this is fucked. I'm not whipping out my phone to read some blog or comment on youtube.
Inb4 Google 2027: "we sold 30% more Android devices YoY!"
(The extra devices are cheap $30 phones all going into reCAPTCHA solve farms)
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
Why not hcaptcha or anubis? I had to block Cloudflare JS due to abuse, so I can't use any sites that require it.
It's hard to say which one is more maddening annoying
From one egg basket to another; both are flawed in design.
Looks like Cloudflare has the only user friendly captcha of them all.
The efforts by Googles, Meta, TikTok, X and AWS etc. to fight fraud and other financial crimes are probably largely deficient. They earn significant revenue from crime and criminal activity. Compared to banks which are required to prevent financial crimes up to personal criminal liability of employees there are no comparable rules for social media platforms.
How do two service businesses get treated so differently by law?
The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
... You... think... it would be a good thing.
Don't you...
6 replies →
Just show us your face and transactions history, it's about the kids.
Google has a lot of fraud because they have absolutely no standards when it comes to advertising scams and frauds as the first result. Google is a services company for the global crime industry.
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
Does not seem to anyone that Google is wielding too much power over our digital lives and the Internet?
Can I confirm that this is more shit from Google trying to lock people into their ecosystem (or Apples) under the guise security?
How are people stopping bots reliably?
The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.
The lifetime value of a LLM may be less than a real person. Especially if you consider things like word of mouth marketing.
You can't, really. If a user can access the site, so can a bot.
You may be able to make it more expensive than your information is worth, but of course that affects users too.
Perfectly: They're not; that's not really possible.
Adequately: Proof of work. https://anubis.techaro.lol/
Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.
Who are the engineers building this technology? Make their identities known so displeasure about these systems can be delivered directly to those who most deserve it.
Google building harder walls against bots while simultaneously building AI agents that need to get through them is peak 2026.
They're expecting everyone to whitelist Google agents because Google has the market share for people to complain if Google agents don't work.
With the apparent competence that built Gemini, I have zero faith in Google building or doing anything that works anymore.
To counter the idiot downvotes, I proffer this as a prime example of Gemini:
That and the cli keeps exiting 0, without hinting why... Quality like the "AI Overview" that hijacks an entire page and isn't even relevant to the search terms - uBlock still doing god's work.
It made me realise I was perhaps a bit hard on Claude (but then it did something equally as dumb)
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
Point On! Probably done by two different teams, who don't know about each other. I hate this (re)captcha so bad. They assume everyone is bad.
This would not have ever been announced while Lina Khan was running the FCC.
What does the FCC have to do with this?
Anti-trust. They're selling part of the problem (inference via Gemini) and now they're selling a solution. They also dominate web standards by developing the dominant browser. And they control one of two dominant phone platforms that will collaborate to enable this solution.
If this were some smaller company that just did cloud then it'd never even make it to PoC. This can only happen because it's Google Cloud, and they can leverage everything they own all at once. Those not buying into their ecosystem can take a hike.
2 replies →
[flagged]
Another nail in the web anonymity sounds like
I am almost certain that labs in India and China have already developed a solution to bypass the “Scan this QR” method.
What is easier than pointing a camera at a QR code and commanding and an AI bot to follow the next steps?
> we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge.
I'm so pissed off in advance. I hope that Google die and collapse in sudden bankruptcy before we have to support this crappy challenges that are totally user hostile!
How do I fit TOR in this? Do anonymous users get to use a more anonymous app?
No. Just more rejection and labelled as a terrorist.
Two mdashes in the first sentence...hmm.
++1
just how evil can google be?
Human verification via QR code does not mitigate labor farms.
Does reCAPTCHA ever claim to detect or block labor farms? From its old name it just seems to block bots only. (Bots are nowadays called agents.)
I imagine again a worldwide search for the cheapest labor. Mechanical Turk on steroids.
Maybe soon there will be a market for a phone specifically for use as a dummy, to get past all this nonsense.
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
We are much MUCH closer to "drink verification can" than to the time that greentext was written. Like many things in 2026, it's beyond fucking wild, it's a parody of itself.
And I don't see it getting better without government regulation. But states are now weaker than corporations. How can we expect them to take charge?
[dead]
[flagged]
"This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable."
Oh, you sweet, summer child.
Thanks for sharing