So first things first - this isnāt a guide to āTesting invisible reCAPTCHAā - itās actually a call for any useful information, resources on doing this. But with your help, it may turn into a guideā¦
A website project Iām working on has moved the signup form away from the reCAPTCHA (with a tickbox) to invisible reCAPTCHA. This means that the method of proving a human is operating the form has moved from a visible tickbox thatās always there to something behind the scenes deciding this - and if it thinks its a bot, it produces a challenge that has to be completed before the form can be submitted.
I was hoping for some info on how it works, suggestions on how to test it and any possible edge cases - but couldnāt find any of this information.
I did see a question in Google Groups on how to test Invisible Recaptcha but the only answer was to use Edge browser while not being signed into Google account and that should trigger the challenge. I tried that but it didnāt work.
Therefore, Iām now opening up the question to the Clubā¦
So hereās an update on what Iāve found out so far:
Google donāt really tell us how it works (for security/secrecy) just how to implement it
Basic operation is that if it thinks thereās a human using the form, they can submit the form without a problem
but if it thinks thereās a bot using the form, a captcha challenge is issued, in the form of the images you normally have to click to progress (like the previous reCAPTCHA)
From various chats in different Slack workspaces (thanks to all who offered info) the best approach to testing it is to try one path where you use the form in a standard way (as a human operator) and to try another path where you force the captcha to trigger.
One way of forcing the captcha to trigger is to use Chrome browser, then in Developer Tools use Network Conditions and set User agent to Googlebot and then load the relevant form you want to test.
I recently had to test reCaptcha, but the tickbox followed by pictures of traffic lights and stuff. Obviously, I had to do some research. Amongst other things, I found that the precision of cursor movement was relevant. If the cursor describes a perfect line to the tickbox and if the click is in the middle of the box. Invisible reCaptcha may do the same - a perfect line between buttons and fields, and clicking directly in the centre. Oh, and speed of movement of the cursor might be a thing too. Essentially, I think you want to test perfect mouse movement results in a denial, and perfect mouse movement results in a pass, as well as a mixture. Hope this helps and Iām not just waffling.