Passwords are the scourge of application security. Password reuse is rampant, data breaches compromising poorly stored passwords are common, passwords are difficult to remember and easy to crack, password guidance is inconsistent.
Against all these odds we put the responsibility of account security squarely on the shoulders of our users. We give them tools that will make them more secure, but are difficult to use like Multi-Factor Authentication and Password Managers. But then we layer on the complexity with each new technology. For example, is is SIM card cloning as easy, or as bad as some security professionals may have you believe?
With all this Fear, Uncertainty, and Doubt it is no wonder that so many users fail to take the necessary steps to properly secure their accounts. For the average internet user we’re asking them for an impossible task.
Adaptive Authentication attempts to change some of that. By using secondary, non-sensitive data, the system attempts to understand the likelihood that you are who you claim to be. If the system has seen you log in from this browser, OS, IP, location, and at similar times, using similar behaviors then perhaps they’ll make it easier for you to get in. If your username is being used in France from an Ubuntu machine five minutes after you logged in from your office computer, maybe we can detect this is fraudulent activity.
Adaptive Authentication can be used to make logging in easier, or to make decisions about the relative risk of each user. It gets more powerful with the more data that it is given.
This is, I believe, the technology behind Google’s third version of reCAPTCHA. Instead of having you click on road signs it collects behavior data about each user, then the website owner can ask google for a risk rating of that user at the time of login. Too risky and you might not get in, a little bit risky and you may be asked to pull out a second factor for authentication.
This could be a great boon for the security of the average internet user. This could add a security blanket of risk analysis on top of the exposed login fields.
The risk is that this comes at Google gaining even more information about the world’s internet users. Google tracks most users through the internet using tracking cookies to serve ads and to understand users’ buying behavior. Some users disable this tracking by running ad-blockers software on their computers. If Google wants to capture the long tail of ad-blocking internet users integrating with authentication could be a way to do just that. Fast Company posted a through article on the dark side of this - Google’s new reCaptcha has a dark side . Additionally if you’re interested in seeing a demo of the information that is returned to users of the system there’s a quick demo available here .
Should you enable this new version of reCAPTCHA? As described above, there’s a lot of value in enabling reCAPTCHA v3, but it gives Google a bit more information about your users. My recommendation is if you are already using Google’s advertising platform, analytics, and v2 of reCAPTCHA there’s little downside to moving to this next version. If you’re not using those things then I would recommend thinking twice about the value you’re providing to your users and whether or not you can provide that value while keeping their privacy safe.