reCAPTCHA Enterprise overview

Google has been defending millions of sites with reCAPTCHA for over a decade. reCAPTCHA Enterprise is built on the existing reCAPTCHA API and it uses advanced risk analysis techniques to distinguish between humans and bots. With reCAPTCHA Enterprise, you can protect your websites or mobile applications from spam and abuse, and detect other types of fraudulent activities on the sites, such as credential stuffing, account takeover (ATO), and automated account creation. reCAPTCHA Enterprise offers enhanced detection with more granular scores, reason codes for risky events, mobile app SDKs, password breach/leak detection, Multi-factor authentication (MFA), and the ability to tune your site-specific model to protect enterprise businesses.

When to use reCAPTCHA Enterprise

reCAPTCHA Enterprise is useful when you want to protect your websites or mobile applications from bots, and abusive and fraudulent behavior that are either carried out through automated attacks or done by humans.

For more information about use cases, see OWASP Automated Threat Handbook - Web Applications.

How reCAPTCHA Enterprise works

When reCAPTCHA Enterprise is deployed in the customer's environment, it interacts with the customer's backend and customer's client (web pages or mobile applications).

When an end user visits a web page or uses a mobile application, the following events are triggered in a sequence:

  1. The client loads the web page from the customer backend or launches the mobile application.
  2. When the end user triggers an action protected by reCAPTCHA Enterprise such as login, the reCAPTCHA Enterprise JavaScript API or the mobile SDK in the client collects and sends signals to reCAPTCHA Enterprise for analysis.
  3. reCAPTCHA Enterprise returns an encrypted reCAPTCHA token to the client for later use.
  4. The client sends the encrypted reCAPTCHA token to the customer backend for assessment.
  5. The customer backend sends the create assessment (assessments.create) request and the encrypted reCAPTCHA token to reCAPTCHA Enterprise.
  6. After assessing, reCAPTCHA Enterprise returns a verdict (scores from 0.0 through 1.0 and reason code) based on the risk evaluated for this request, to the customer backend.
  7. Depending on the verdict, you (as the developer) can determine the next steps to take for that specific user request or action.

The following sequence diagram shows the graphical representation of the reCAPTCHA Enterprise workflow:

What's next