At early stage you are not going to get spam anyway. Once it grows (and i hope it does) you will get fare share of spam. As you said at that point you could check solutions like Akismet, OOPSpam.
As for spam from the contact forms, you could look into integrating with https://www.oopspam.com/. It returns score similar to reCaptcha in addition to the outputs from different analyses.
You’re confusing multiple badly named products by Google. You’re thinking of Invisible reCAPTCHA rather than reCAPTCHA v3.
reCAPTCHA v2 is the “I’m not a robot” checkbox widget followed by challenges if Google doesn’t like you.
Invisible reCAPTCHA is reCAPTCHA v2 but the site initiates verification instead of the user being given an “I’m not a robot” checkbox widget to click; but if Google doesn’t like you, it’ll still trap you in the purgatory¹ of puzzle solving. Site operators can then blame Google, for all the good that does. “Invisible reCAPTCHA” is a bad name for the product, because it’s not invisible.
reCAPTCHA v3 never presents a challenge for you to solve, but decides a score (in practice, I’ve only seen 0.1, 0.3, 0.7 and 0.9) where higher means Google’s feeling more friendly towards you, and it’s up to the site operator to decide what to do with that score—whether to simply deny access to people that Google doesn’t like (catastrophically bad and widely illegal, as it blocks legitimate users with no recourse) or to do something else. But now the liability for blocking real people is clearly with the site operator and not Google. But of course far too many people will ignore Google’s “don’t gate on this alone” direction and just see the higher version number and assume it must be better than reCAPTCHA v2. “reCAPTCHA v3” is a bad name for the product because it’s not a CAPTCHA, as there’s no challenge; it’s straight fraud detection.
They shouldn’t have called it a “challenge” there. It’s not a challenge; it’s just executing the verification function. Chalk up another one for harmfully incorrect terminology. (Admittedly “verification” is also an overloaded term, as it gives you a token which your backend subsequently needs to verify.)
(As they confirm near the start of the document, “reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion.”)
It doesn't appear automatically, it's programmable [1], you as a developer decide what to do with a low score, you could ask for extra verification for example. I agree with the tracking and privacy issues with ReCAPTCHA.
I love the points you made. There so many services solves reCaptcha. Saw 2captcha yesterday on reddit, it's indeed unethical. reCaptcha is privacy nightmare.
For contact forms and comment systems there are other alternatives other than captcha like OOPSpam API which is privacy-friendly and accessible as submission are simple analyzed in the backend without interacting with the user. Just wanted to mention.
anonymous comments are hard to moderate as more your product grows spammers will come. At this stage, I don't think you will have a major problem with spam but down the road you will get plenty of them. Check out solution like https://oopspam.com
reply