So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
It’s a common thing for malware. But people are going to be more likely to fall for it when mainstream sites ask you to complete weird tasks with your phone to verify your identity.
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w.
Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
Ditch Google Search as well then, use something like SearXNG or another meta-search engine. You'll get more representative results, no tracking and no captchas. Sometimes some of the engines may return captchas but they're kept from the search results, i.e. those engines don't get used for the query. You can run your own instance of SearXNG or one of the alternatives or use one of the available public instances, your choice. The fewer direct interactions with the likes of Google/Apple/Microsoft/etc. the better.
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
Or if you want to play a bit, have a browser with some extension that breaks websites and show them "it doesn't work on my phone". Pranks apart, in my experience, I always got a paper menu when I asked for it.
A few millennia too late for that: the “mark of the beast” is just money — “so that no one could buy or sell unless he had the mark”. How does one buy or sell without money? Otherwise we would call it bartering.
That means you're a peasant, and don't matter.
Don't worry, they'll work with telecoms and carriers to ensure devices matching your budget are subsidized and made available at every possible opportunity.
I expected mostly snark from my earnest question, And got it.
Ok, concrete scenario. What about homeless people using the computer at the library? Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Well, it depends on the application and context. I don't think a homeless person at the library is going to be booking a $1000-a-night room in downtown Los Angeles.
However, services that homeless people will be using should factor in their target audience (such as the homeless not having a phone at all, or maybe not one that's up to date even).
However, like it or not, having a modern up to date device is becoming essential for even rudimentary basic access to society. Whether that's right or wrong it's where we are.
I shuddered when I realized that Google would require (smart)phones for recaptcha.
I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)
Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.
I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).
I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.
Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1
I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.
and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)
But this just takes it to an extremely completely next level. I can't stress how bad this all is.
Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.
With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.
Scan QR code -- you don't have our "captcha app" installed, automatically redirect to Play store -- download malware because Google Play's horrible screening -- profit
I must not be the first one to think of this, right?
Overall it’s a reason to sigh deeply and thank our fellow “visionary leaders” for making everything that little bit worse. At least we’re getting an AI paradise out of the deal right?
It's not really about leaders, but people who are supposed to ensure they are not corrupt.
It seems like security services in many countries started outright to scam the tax payers. Get the wage and pretend brown envelopes don't change hands and policies are not shaped by corporations for their benefit, not the public.
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
Which means, it's urgent that more and more people realize there are alternative to the everything-on-the-phone situation they live in. And that owning one is not mandatory and should not be (by the way, politicians should also wake up).
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
The attestation will include a unique ID of the phone, so that if you get banned you have to keep buying new phones and keep paying money to Google. Google won't stop this because it makes them money.
And the official Google OS just won't feature remote-control software.
There's also remote control hardware (a printer-like device can operate a touchscreen). But the first point stands, yes. Be it a phone or another hardware attestation device, they and Apple will be giving "I am human, let me participate in society" checkmarks out, directly or indirectly for money
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
These passkey QR codes don't need to use Web Bluetooth API, because they utilize the WebAuthn API. The website itself isn't given access to the bluetooth, the task is handed off to the browser, which as a native application, can access bluetooth and abstracts the bluetooth away.
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
How though? Can you also avoid DDoS simply by designing your system to not care if the requester is a bot or not.
Let's say I'm running https://grep.app/ for example. AI bots start heavily using it, costing me a ton of money. How would you magically design this so it doesn't matter if the end bots are using it?
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.
Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
Anti-trust. They're selling part of the problem (inference via Gemini) and now they're selling a solution. They also dominate web standards by developing the dominant browser. And they control one of two dominant phone platforms that will collaborate to enable this solution.
If this were some smaller company that just did cloud then it'd never even make it to PoC. This can only happen because it's Google Cloud, and they can leverage everything they own all at once. Those not buying into their ecosystem can take a hike.
The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652
So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
> No mention of device integrity verification yet
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.
Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
One of them pretends to hold elections.
Does it only count as an election if one’s favorite side wins?
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.
I know, people will slavishly knuckle under, but let me dream for a few minutes.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
> press win+R ctrl+V
LOL is this real?
I guess yes, because yesterday ReCaptcha asked me to screenshot a QR-code with the mobilephone :-D
It’s a common thing for malware. But people are going to be more likely to fall for it when mainstream sites ask you to complete weird tasks with your phone to verify your identity.
It is. There are fake Cloudflare CAPTCHAs on pwned Wordpress sites that instruct users to run Powershell scripts.
Yeah, this is going to turn into another malware vector, isn't it?
Discord has a feature where you can log into your account on your PC by scanning a code on your phone.
So does Binance.
Those are good things though? They’re about logging in, on purpose.
Not about attesting to Google that you have a proper smartphone as a proxy for your humanity, like this thing.
But none of those options are requirements to access the service.
So does Signal.
But Signal is secure(TM)!
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
It's almost like some people aren't IT hobbyists.
I'm not a heart surgery hobbyist, therefore I don't chop people's chests open, no matter who suggests it.
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w. Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
Ditch Google Search as well then, use something like SearXNG or another meta-search engine. You'll get more representative results, no tracking and no captchas. Sometimes some of the engines may return captchas but they're kept from the search results, i.e. those engines don't get used for the query. You can run your own instance of SearXNG or one of the alternatives or use one of the available public instances, your choice. The fewer direct interactions with the likes of Google/Apple/Microsoft/etc. the better.
The thing is even a contact form without something like reCaptcha is doomed on today's web: spam all day.
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
Smartphone is just a small computer. I don't see hiw what you say makes sense.
It's a small computer that I don't really control with a horrible UI, horrible privacy, and nothing but perverse incentives. ("download the app!")
Sounds like Windows
> but the writing is on the wall.
Only if politicians are still corrupt and law enforcement doesn't work.
Which means the writing is on the wall.
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
You would not last long in China ;)
(you pay by scanning QR code in .. well, everywhere)
They don't like contactless technology or what? I don't think that scanning a QR code is significantly more involved but it's enough to be annoying
[delayed]
It's all WeChat Pay (or AliPay).
Many sit-in restaurants enforce QR codes ordering. Started during covid, but keeps happening, especially outside US in my experience.
They don’t enforce in my experience. Just don’t bring a phone and they will bring you a paper menu.
Or if you want to play a bit, have a browser with some extension that breaks websites and show them "it doesn't work on my phone". Pranks apart, in my experience, I always got a paper menu when I asked for it.
Where are those ‘mark of the beast’ cranks when you need them?
A few millennia too late for that: the “mark of the beast” is just money — “so that no one could buy or sell unless he had the mark”. How does one buy or sell without money? Otherwise we would call it bartering.
Some currencies are even literally called Marks lol https://en.wikipedia.org/wiki/Mark_(currency)
It's coming.
The Poshmark morons demanded government id to buy a $35 shirt. On an established account, an address that matched my credit card, etc.
The only answer is delete your account.
Why the hell would they care who is buying it? They're getting paid either way.
The only reason they'd care is because they want to sell your personal information.
Serious question: what if you don’t have a (smart)phone?
That means you're a peasant, and don't matter. Don't worry, they'll work with telecoms and carriers to ensure devices matching your budget are subsidized and made available at every possible opportunity.
I expected mostly snark from my earnest question, And got it.
Ok, concrete scenario. What about homeless people using the computer at the library? Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Please don’t respond with sarcasm.
US govt used to have a program to sponsor mobile phones for homeless. Is that still around or did DOGE kill it?
(edit) It seems to still exist: https://www.fcc.gov/general/lifeline-program-low-income-cons...
Well, it depends on the application and context. I don't think a homeless person at the library is going to be booking a $1000-a-night room in downtown Los Angeles.
However, services that homeless people will be using should factor in their target audience (such as the homeless not having a phone at all, or maybe not one that's up to date even).
However, like it or not, having a modern up to date device is becoming essential for even rudimentary basic access to society. Whether that's right or wrong it's where we are.
Then you have already have not been very present in the analytical data that these business decisions are based on.
I shuddered when I realized that Google would require (smart)phones for recaptcha.
I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)
Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.
I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).
I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.
Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1
I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.
and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)
But this just takes it to an extremely completely next level. I can't stress how bad this all is.
Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.
With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.
Go fuck yourself?
I mean, that seems to be the general societal attitude.
And you'll need to buy new ones because many things are app only, or are migrating that way (including being able to travel to certain countries)
The QR code feature looks like it could be spoofed to become a Pegasus deployment method once people get used to them.
Scan QR code -- you don't have our "captcha app" installed, automatically redirect to Play store -- download malware because Google Play's horrible screening -- profit
I must not be the first one to think of this, right?
Right???
Overall it’s a reason to sigh deeply and thank our fellow “visionary leaders” for making everything that little bit worse. At least we’re getting an AI paradise out of the deal right?
Right?
It's not really about leaders, but people who are supposed to ensure they are not corrupt.
It seems like security services in many countries started outright to scam the tax payers. Get the wage and pretend brown envelopes don't change hands and policies are not shaped by corporations for their benefit, not the public.
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
Where is this specified? I don't see that in TFA.
The example they give in TFA is having the user scan a QR code, presumably from a mobile device.
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
Does anybody trust it? MacOS seems to be the only desktop platform I see be trusted.
I’m trying to use my phone less and less. Ideally I’d like to even switch a dumb phone.
But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.
Which means, it's urgent that more and more people realize there are alternative to the everything-on-the-phone situation they live in. And that owning one is not mandatory and should not be (by the way, politicians should also wake up).
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
Google clearly wants only Google approved models to traverse the web.
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
Why can't an AI scan the QR code? Just fire up an emulator if necessary
The app that scans the code talks to the TPM in your phone to prove that your phone is running an unmodified Google OS.
So openclaw or whatever future software will run or control unmodified google os devices.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
Which would be meaningful if phones weren't remotely controllable.
So the net effect is every AI agent will also have and connect to a physical phone.
The attestation will include a unique ID of the phone, so that if you get banned you have to keep buying new phones and keep paying money to Google. Google won't stop this because it makes them money.
And the official Google OS just won't feature remote-control software.
There's also remote control hardware (a printer-like device can operate a touchscreen). But the first point stands, yes. Be it a phone or another hardware attestation device, they and Apple will be giving "I am human, let me participate in society" checkmarks out, directly or indirectly for money
... which is why you'll get locked out if you happen to visit an unusual number of sites in a day.
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
No browser supports Bluetooth.
These passkey QR codes don't need to use Web Bluetooth API, because they utilize the WebAuthn API. The website itself isn't given access to the bluetooth, the task is handed off to the browser, which as a native application, can access bluetooth and abstracts the bluetooth away.
Chrome does...
Interestingly, only on desktop/Android and not iOS it seems.
Chrome on iOS uses WebKit, so that makes sense.
(*I think in the EU, iOS Chrome can use Blink, but I am not sure if it actually does.)
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
From one egg basket to another; both are flawed in design.
yeah im not doing that
How do I fit TOR in this? Do anonymous users get to use a more anonymous app?
The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
... You... think... it would be a good thing.
Don't you...
I do. It has downsides of course, but what's the alternative at this point?
Depends on your specific problem. Usually redesign your system not to need to care if the other end is a bot or not.
How though? Can you also avoid DDoS simply by designing your system to not care if the requester is a bot or not.
Let's say I'm running https://grep.app/ for example. AI bots start heavily using it, costing me a ton of money. How would you magically design this so it doesn't matter if the end bots are using it?
Rate limit individual clients.
I suspect that the HN crowd is somehow insulated from the river of crap and fraud that is the internet experience for a majority of the population.
Just show us your face and transactions history, it's about the kids.
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
Thanks for sharing
How are people stopping bots reliably?
The first step is to write down why you are stopping bots and which bots you are stopping. If an LLM is buying things from your web store, that's good. You are making money on that, and you shouldn't stop it.
You can't, really. If a user can access the site, so can a bot.
You may be able to make it more expensive than your information is worth, but of course that affects users too.
Perfectly: They're not; that's not really possible.
Adequately: Proof of work. https://anubis.techaro.lol/
Before the age of AI, most bots aren’t sophisticated at all. They might be a script running curl in a loop, or at best some standard browser automation tool like selenium or playwright. People couldn’t stop bots reliably but they could easily stop 99% of bots. That is of course no longer true which is why reCAPTCHA had to evolve.
just how evil can google be?
Two mdashes in the first sentence...hmm.
++1
Can I confirm that this is more shit from Google trying to lock people into their ecosystem (or Apples) under the guise security?
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
Google building harder walls against bots while simultaneously building AI agents that need to get through them is peak 2026.
They're expecting everyone to whitelist Google agents because Google has the market share for people to complain if Google agents don't work.
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
Point On! Probably done by two different teams, who don't know about each other. I hate this (re)captcha so bad. They assume everyone is bad.
With the apparent competence that built Gemini, I have zero faith in Google building or doing anything that works anymore.
Human verification via QR code does not mitigate labor farms.
Does reCAPTCHA ever claim to detect or block labor farms? From its old name it just seems to block bots only. (Bots are nowadays called agents.)
I imagine again a worldwide search for the cheapest labor. Mechanical Turk on steroids.
"This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable."
Oh, you sweet, summer child.
This would not have ever been announced while Lina Khan was running the FCC.
What does the FCC have to do with this?
Anti-trust. They're selling part of the problem (inference via Gemini) and now they're selling a solution. They also dominate web standards by developing the dominant browser. And they control one of two dominant phone platforms that will collaborate to enable this solution.
If this were some smaller company that just did cloud then it'd never even make it to PoC. This can only happen because it's Google Cloud, and they can leverage everything they own all at once. Those not buying into their ecosystem can take a hike.
The FCC doesn't enforce antitrust law. That's the FTC. (The FTC is also the commission that Lina Khan chaired for a while.)