Private Access Tokens (and how reCAPTCHA 2 and 3 are different)

Posted by Matt Birchler
— 1 min read

Jana Iyengar: Private Access Tokens: stepping into the privacy-respecting, CAPTCHA-less future we were promised

Private Access Tokens are an alternative to CAPTCHAs for supported client platforms. They use careful application of cryptography and requirements to guarantee that a website learns only exactly what it needs to know about a user in order to provide access to a resource. Human interaction is not required and there is no leakage of non-essential data.

Honestly, anything that makes me not have to click on images of stop signs ever again gets my support.

P.S. Something I didn't know for a while, but is a thing, is that reCAPTCHA v2 and v3 are completely different, and v3 tries to have a frictionless setup as well. Here's a high level overview of what v2 and v3 do:

  • reCAPTCHA v2 is the classic "click here to prove you are a human" and then may ask you to click on a few images as well. This is the reCAPTCHA that drives people nuts, but it important for avoiding things like card spinning on payment forms.
  • reCAPTCHA v3 presents nothing to the user, and instead detects a few things about the user on page load, guesses whether you're a human or a bot, and returns a confidence value to the integrator based on how confident it is that you're a human. Then it's on the integrator to do something with that value. Funnily enough, this can often mean using reCAPTCHA v3 on page load, and if the score is too low, then loading reCAPTCHA v2. Ultimately, it's up to the developer to decide what to do with the score.

Anyway, I know private access tokens are different, and I'm sure they're quite private, but thought this difference was worth sharing.