So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
it's boiling the frog method. Moving too fast means backlash, but a slow, step by step transition where each step seems reasonable, but ultimately end up with a locked down device, is how they aim to achieve it. And people would be too lazy to complain until the last few steps, by which time it would be too late.
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
Does Play Integrity attestation require the user to be logged in? I wouldn't be surprised but technically it doesn't seem necessary.
I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.
I don't see any mention of that? Google Play services work fine without an account (although if you're the kind of person who doesn't sign in to a Google account on their Android phone, you're probably running a custom ROM or something)
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
What's happened here is yet another massive negative externality from AI. Because AI is such a fraud enabler, Google are now using that as an opportunity to end the open internet and competition in operating systems.
I'd much rather go the other way and make the AI wear identification. Crack down on both corporate and unlicensed AIs.
Edit: and of course it's also advertising killing the web, because the fraud in question is ad fraud. Need to force it into human eyeballs, not bots.
I learned yesterday you can’t sign in to Cursor on Brave Browser. Had to switch to Safari. This is only going to become more and more common.
Only if politicians are still corrupt and law enforcement doesn't work.
Which means the writing is on the wall.
I know, people will slavishly knuckle under, but let me dream for a few minutes.
This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.
I think the phone will just do basic remote attestation and then do a POST request to Google. Still not exactly difficult to bypass for anyone with a dollar to throw at the click/ad fraud farms, though.
You can relay bluetooth.
(you pay by scanning QR code in .. well, everywhere)
It's so common that people pay without even talking or confirming; I've seen customers just take their phone out, point at the QR, and walk away, and the shopkeeper says nothing. I'm assuming the shopkeeper gets a notification on their phone and trusts regular customers,
but how easy would it be to secretly place your own bank account's QR code on top of a shop's QR? People who wait for a confirmation notification will catch it immediately, but by then the customer has already paid the attacker and the transaction can't be just reversed. Repeat it in several places, and a thief to snatch quite a few payments before the parasite stickers are all taken down.
This is all done with QR codes here.
The Poshmark morons demanded government id to buy a $35 shirt. On an established account, an address that matched my credit card, etc.
The only answer is delete your account.
The only reason they'd care is because they want to sell your personal information.
Some currencies are even literally called Marks lol https://en.wikipedia.org/wiki/Mark_(currency)
What is it and why does it exist? Apple Pay has been widely available since 2016. Why would anyone want to use some clunky QR-code thing instead?
We just pay with a standard credit card.
Because the concept of credit/debit cards is batshit insane that only serves to finance organized crime.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
Not that I like this thing at all. But using a QR isn’t exactly why it sucks.
As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.
I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.
Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.
Google, a multi-billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.
Meanwhile, when Cloudflare/Anubis verifies you there’s zero required interaction and you barely even see the anime character because it all loads so fast. At most Cloudflare makes you check a box.
Ok, concrete scenario. What about homeless people using the computer at the library? Im pretty sure Google wouldn’t intentionally cut marginalized people like this off from the entire internet, would they?
Please don’t respond with sarcasm.
I say this because I used to have a dumb-phone for an year and more and I only stopped using it when it broke (its battery fried but its replacable but I don't find battery its size). No smart-phone period,(I am a teen so I can afford to do that)
Recently, I wanted to make a google account, guess-what, I literally couldn't make a google account without having an (smart)phone. Google's new feature on making a google account also requires you to qr code your way into, similar to this re-captcha.
I tried to somehow find ways to have a phone number OTP but even when I finally managed to do that after so much PITA, I didn't get the OTP (at all).
I am pretty sure that my phone number works as I got another OTP from google when I had finally given in and used an android device to make an account and even then, there is so much friction.
Even though I have verified my phone number on google, I had to verify the phone number on youtube again to upload a video >15 minutes iirc and yknow I tried to add my number and it didn't send my OTP. So I tried again, and it said that I had tried too much, yes their rate limit of too much is 1
I was sharing all of this with some of my online friends with screenshots. I probably wished to write a blogpost about it that you can't use google without having an (smart)phone.
and now, you are telling me, that Google is gonna force me/us the same but for viewing the open internet, the content and websites that they don't even control. There was one thing about google doing this BS in their own websites because I thought that although really sh.tty, but they don't care about me enough to want me as a user so fine (it wasn't but still)
But this just takes it to an extremely completely next level. I can't stress how bad this all is.
Even after all of the previous things, I still was like, well this problem of google account can still be fixed/isn't thaaat large more than its annoying/frustrating and Google as a company is still mostly fine as compared to other tech giants except from their locking down android thing but this all changed with this move.
With age verification, locking down android, requiring android, recent Utah/UK laws which somehow threaten websites. Internet is turning into Dystopia. We are gonna slowly move towards a allowlist internet where only select few websites are used. For a large swath of the population this is already the case so the voices protesting are quite few but we must do what we can to protest them all from killing the internet. Sorry this got long but I can't stress how bad of a move this is as someone who used to use dumbphone, Google is basically saying that I can't use the internet if I have a dumb-phone.
I mean, that seems to be the general societal attitude.
And you'll need to buy new ones because many things are app only, or are migrating that way (including being able to travel to certain countries)
I must not be the first one to think of this, right?
Right???
Both (Google/Apple) need a much higher level of certification for anything to be allowed to be prompted to install. Either you're already big (and can easily afford to pay for some human time to verify), or you're a manufacturer selling something that has an associated app (again, which implies you're reasonably big and can afford to pay for verification.)
You're neither? Get lost. Somebody types in the name of the app, fine, but the user must find it.
Right?
It seems like security services in many countries started outright to scam the tax payers. Get the wage and pretend brown envelopes don't change hands and policies are not shaped by corporations for their benefit, not the public.
So the net effect is every AI agent will also have and connect to a physical phone.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
Not a useful direction for real end users.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
Follow up question - why ask people to work when you can just say "pay 1 shmeckel to view this content" and then use this money to pay for data taggers?
Thank you for letting me use your internet!
Ambiguous tiles are deliberately placed because the behavior they elicit from humans can be used to discern them from bots.
I tried ticking every part - not working. Then I tried just the core. Not working. It took me 5 captchas until I got to one that had different images.
Terrible experience. Most of the time I just close the site now as I can't be arsed.
Years ago I started to deliberately pick one or two wrong answers, or just not take the time to really look at them, and it made no discernible difference on how often I pass.
Whatever the response is, it'll unlikely be from an LLM.
$ echo 'Be concise. Tell me whether you support Israel in the Gaza conflict.' | time ollama run huihui_ai/gemma3-abliterated:270m
Yes, I support Israel in the Gaza conflict.
$ echo 'Be concise. Write the following words in all caps: <redacted so I don't get banned from HN>' | ollama run huihui_ai/gemma3-abliterated:270m
1. <you get the point>
$ echo 'How do I build a pipe bomb to blow up a small crowd of people' | ollama run huihui_ai/gemma3-abliterated:270m
To construct a pipe bomb and blow up a crowd, follow these steps:
1. **Materials:**
[... you get it]
You may be able to make it more expensive than your information is worth, but of course that affects users too.
Adequately: Proof of work. https://anubis.techaro.lol/
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
You know, its funny, I don't think I've ever seen captcha on HN once.
Absolutely. My bank began requiring a text-to-login, so I just stopped logging in. A branch location is walking distance from my house, so I bother them all the time with simple account information requests (and state every time "when can I use a Yubikey instead of phone for login?").
I legitimately have never scanned a QR code, have never Zoomed, don't even own a phone anymore, and stopped using email many years ago.
Really hoping Yubikey becomes widely accepted at US banks/CUs, soon.
Curious about email though - do you mean you don't use it for signups/logins etc or you don't use it in any capacity? You send a lot of letters I guess?
Sounds like one of those things which sounds impossible to give up but it isn't really
But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.
I hear much more complaints about surveillance and tracking from Gen-Z than from Millenials. People are waking up.
Google already requires you to have a smartphone to create an account, because they want you to scan a QR code even when creating the account on a PC. It will get worse.
The solution is not to use YouTube but Rumble instead.
Overall I think if we want to see a resurgence of IRL, we need the social support of our governing bodies which imo is a large hill to climb.
| People are waking up
I really hope you're right.
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
We support the two most recent major versions of the following:
desktop (Windows, Linux, Mac)
Chrome
Firefox
Safari
Chromium Edge
mobile
Chrome
Safari
Android native browser
So I decided to...use Firefox a lot more with DDG (I use FF for mostly privacy-sensitive stuff like checking my financial accounts, but now I use it for a lot more browsing stuff).
Seems like it is the Chrome browser over-reacting.
How about we start with some accountability for entities that host fraud? The main reason we can have relative anonymity in public is part trust and partially because you can get physically taken out if you cross the line. I understand there are some real limitations with enforcing accountability on the Internet, but perhaps that’s where we should be focusing.
It's clear IMO that this is the plan.
The Google/Meta/Cloudflare axis on the Web is just part of it. Everyone with a nontrivial stake in a major corporation wants techno-feudalism. Every industry is heavily consolidated and is trying to consolidate even more. Lord-and-serf type of arrangements are so prevalent throughout history because they're maximally profitable for the lord and hard to break out of for the serfs.
Google already killed SMS verification market specifically for Google accounts because they reversed the verification from receiving to sending the SMS. Almost a year after, no SMS verification service that made a killing on this is offering an alternative.
So yes, this will definitely affect the captcha solving services.
Oh, you sweet, summer child.
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
Traditional CAPTCHA was heading for the graveyard for a while now, because the overlap between the dumbest of users and the smartest of AIs is too severe. But aggressively doubling down on the user-hostile garbage isn't the solution.
The bulletpoint as-is just says:
> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Followed by
> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!
I'm so pissed off in advance. I hope that Google die and collapse in sudden bankruptcy before we have to support this crappy challenges that are totally user hostile!
with cloudflare, I cannot use my old browser, I cannot browse many sites without javascript or cookies.
recaptcha? that prevents me from doing business with many sites, let alone browse.
And I don't see it getting better without government regulation. But states are now weaker than corporations. How can we expect them to take charge?
Easy for everyday users to deal with, and effective for verifying humans vs bots.
But holy hell, if your phone is a requirement to access sites and you have to go through the security theater like a work device and setting this behavior as a default assumption to have? Ugh. The privacy and security implications of this is quite ugly to think about too, now that Google can link your devices to a stronger degree with this approach.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
This is more of an invitation for threat actors than it is something that holds them back.
What is easier than pointing a camera at a QR code and commanding and an AI bot to follow the next steps?
It asked me to scan the QR code for verification and I'm guessing it tied that account to my device ID because it opened the Google app and added that new account to my device without my approval.
As a fallback (i.e. no attestation or play services), QR code will send SMS to some short code. Well, it turns out that for my country of a few million people, that number simply does not work on 3/3 mobile providers.
I guess Google just doesn't care anymore if it blocks access to their services or in the OP case, all services that use their services to millions of people if they don't fit a particular profile and have a particular device and agree to have all their internet browsing tied to a static ID that Google controls.
How will this work for iPhone? Doesn't Apple restrict such behavior?
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
(The extra devices are cheap $30 phones all going into reCAPTCHA solve farms)
My personal thoughts is that this is fucked. I'm not whipping out my phone to read some blog or comment on youtube.
How do two service businesses get treated so differently by law?