This is a rehash of my own posts on the Ministry of Testing regarding testing Invisible reCAPTCHA.

Google provides various information on Invisible reCAPTCHA, such as the links below, but none of these provide much information.

Here’s what I’ve found out so far from actually testing Invisible reCAPTCHA

  • Google don’t really tell us how it works (for security/secrecy) just how to implement it
  • Basic operation is that if it thinks there’s a human using the form, they can submit the form without a problem
  • but if it thinks there’s a bot using the form, a captcha challenge is issued, in the form of the images you normally have to click to progress (like the previous reCAPTCHA)

From various chats in different Slack workspaces (thanks to all who offered info) the best approach to testing it is to try one path where you use the form in a standard way (as a human operator) and to try another path where you force the captcha to trigger.

One way of forcing the captcha to trigger is to use Chrome browser, then in Developer Tools use Network Conditions and set User agent to Googlebot and then load the relevant form you want to test.