reCAPTCHA v3 will actively block many genuine users with no recourse, in a way that is incompatible with various accessibility and disability legislation. In the US I believe it’d be illegal for any businesses to gate functionality on reCAPTCHA v3 failure alone, and in AU it would be for a government site but I’m not certain for businesses.
reCAPTCHA v2 kinda had this problem, but Google could scrape by because it wasn’t obvious that some users were being flat-out blocked, though it does seem to be the case.
In reCAPTCHA v3, Google get around that problem by putting the burden of supporting some alternative for such denied users onto you, rather than on them—so they recommend things like falling back to sending an SMS code to validate such users. (Given how they position the product, this is basically just a disclaimer of liability—“we told you to do something extra! (though not very hard)”. I have no idea how legally effective that approach is, but that’s what they’re going for.)
That’s how we do at Fastmail for signup (which is a substantial fraud target): we use reCAPTCHA v3 if we can (and only on the signup page, I may add), but if it won’t load or if it flunks the user, then we fall back to requiring SMS verification, so that real people should still be able to sign up.
So that’s the major problem with reCAPTCHA v3: you can’t, or at least shouldn’t, use it by itself.
Have you ever been locked out of the internet because Google thought you were a bot? It has happened to me before, and it's not fun. Your only recourse for sites running v3 is to install Chrome and sign into a Google account.
reCAPTCHA v2 kinda had this problem, but Google could scrape by because it wasn’t obvious that some users were being flat-out blocked, though it does seem to be the case.
In reCAPTCHA v3, Google get around that problem by putting the burden of supporting some alternative for such denied users onto you, rather than on them—so they recommend things like falling back to sending an SMS code to validate such users. (Given how they position the product, this is basically just a disclaimer of liability—“we told you to do something extra! (though not very hard)”. I have no idea how legally effective that approach is, but that’s what they’re going for.)
That’s how we do at Fastmail for signup (which is a substantial fraud target): we use reCAPTCHA v3 if we can (and only on the signup page, I may add), but if it won’t load or if it flunks the user, then we fall back to requiring SMS verification, so that real people should still be able to sign up.
So that’s the major problem with reCAPTCHA v3: you can’t, or at least shouldn’t, use it by itself.