logoalt Hacker News

bramhaagtoday at 6:44 PM5 repliesview on HN

The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652

So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.

No mention of device integrity verification yet, but the writing is on the wall.

Replies

NotPracticaltoday at 7:36 PM

> No mention of device integrity verification yet

If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.

E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245

(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)

In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.

This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.

[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974

show 1 reply
hellojesustoday at 6:55 PM

This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.

Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.

show 1 reply
nerdsnipertoday at 7:39 PM

I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.

everdrivetoday at 6:57 PM

I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.

show 1 reply
Hizonnertoday at 6:48 PM

... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.

I know, people will slavishly knuckle under, but let me dream for a few minutes.

show 3 replies