Among Recaptcha v3 vs v2, which should I choose?
I've seen lots of SO posts and other articles on the internet about the differences between Google's ReCAPTCHA v2 and v3, but I'm not sure which one I should use. I'm looking to protect my website's sign up page (React frontend + Node.js backend). Which version of ReCAPTCHA should I choose? I feel like I've seen v2 in more places than v3, but then again, v3 is hidden... What are the security benefits of both versions like? Are websites less secure or considered "older" if they use v2?
As I was wondering about recaptcha v3 vs v2 myself, I came across this article. I summarize what I think is relevant: According to tech statistics website Built With, more than 650,000 websites are already using reCaptcha v3; overall, there are at least 4.5 million websites use reCaptcha, including 25% of the top 10,000 sites. (as the 27th of June, 2019)
The data is changing quickly, right now some 2,602,509 sites seem to be using v3. Also relevant, v3 works better if its code is installed in all web pages of a site. This means less user privacy. Although Google states that: reCaptcha’s API sends hardware and software information, including device and application data, back to Google for analysis, and that the service is only used to fight spam and abuse. So:
- Google reCAPTCHA v3 is easier for the users, but as more sites use v3, more will be the information that Google has about them, as tracking a user across sites that use v3 is technically possible.
- Google reCAPTCHA v2 takes more work for the user, but seems to be less intrusive regarding privacy.
- v3 seems to be gaining momentum quickly.
- Google seems committed to maintaining both v2 and v3 in the future.
- Regarding safety, I can tell from experience that v2 does not stop all spam. This is probably due to spammers using CAPTCHA farms (real people solving the bot's problems.) I don't have that much experience with v3.
- So IMHO, I would go for v3 (already widely adopted) unless maximum user privacy is a must. But if you are using Google Analytics to measure a site's traffic, using v2 for added privacy may be irrelevant.
- Any comment regarding the safety of v3 from a trusted source or site experience will be appreciated!