reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
In a multi-page Umbraco Form, would it therefore be best to include reCAPTCHA v3 on every page of the form?
IMHO ReCAPTCHA is a (tedious) security feature. Why would you need to add it on every form?
From that quoted documentation, the important word is context. I would only add ReCAPTCHA when postbacks occur with full context, in a potential hacker attack vector.
If you are talking about multiple page Umbraco Form, you should not be submitting incomplete data to the server surely?
When would you allow an unauthorised visitor to do anything important
Keep bits of context data cached until completion.
Definitely add ReCAPTCHA on Registration forms. Optionally add it on Login forms (ideally appearing only after so many failed login attempts).
If you have a different situation, perhaps like a petition signup for members of the public, then persist your form in session until the final postback and use both ReCAPTCHA and the anti-forgery tokens. This final postback is where you have a context that is 100%, so you could add a ReCAPTCHA but since the visitor is not doing anything insecure, then why bother?
Finally, remember that ReCAPTCHA is to prevent automated scripts from spamming your forms. This won't matter until you are capturing data to persist in the database so no you don't need it on every page. There are other ways to prevent such things (i.e. potential DDOS or injection attacks)
My understanding is that reCAPTCHA v3 tracks website interactions and determines the likelihood of a user being a bot based on the data it gathers. I think this is what is referred to by "context" in the quoted text, and it would follow that having reCAPTCHA v3 present for more of a session would allow it to collect more data - more context - with which to make a determination.
What I'm most interested in hearing about is how community members use the reCAPTCHA v3 with score question type in their multi-page Umbraco Forms. Do they tend to just drop one at the very end of their form as one would with the reCAPTCHA v2 question type? Or do they include one on every page of the form? Has anyone experimented with both, and have they found any difference in effectiveness one way or the other?
The specific use case I have in mind is an application form that needs to be publicly accessible, and multi-page for user experience purposes. reCAPTCHA is desirable because forms on the site have been hit by bot traffic before, and it's available out of the box with Umbraco Forms.
I see but forgive me, because again I ask - what use case would you need to verify multiple form submissions instead of at one point?
You seem to be saying you've already decided to stick ReCAPTCHA v3 on multiple form submissions? This is not how you use them. They look at primarily your browser session to generate a score. Bots don't have things like search historys, or if they do they are detectable.
This is how the score is produced. You seem to be saying "I want to do some unique custom logic - adding up the third-party generated scores - to determine myself if it's a risk". With the callback event of a v3, you'll get a value between 0 and 1.0 indicating risk. You aren't supposed to add them up or anything.
I've worked with v3 on SPAs before and I have never felt like "oh no - a bot could attack these forms and do me damage" so if you can't give a more exact scenario, then what you are suggesting is bad practice. Look at the best practices and please describe how a multi-form application could have those on each of its steps? (carding, fraud mitigation strategy, etc)
It even says you are better using a WAF to mitigate certain threats, not ReCAPTCHA.
TL;DR
I cannot think of a scenario where on a multi-page form, you would use ReCAPTCHA because a bot could compromise using the threats. If you are going to implement custom logic with the score then you are invalidating the score by saying "I don't trust this score" which then begs "why use it in the first place". Please describe what scenario you are dealing with, more than just a generic "multi-page form" description.
Umbraco Forms reCAPTCHA v3 Best Practice
Google's reCAPTCHA documentation states that
In a multi-page Umbraco Form, would it therefore be best to include reCAPTCHA v3 on every page of the form?
IMHO ReCAPTCHA is a (tedious) security feature. Why would you need to add it on every form?
From that quoted documentation, the important word is context. I would only add ReCAPTCHA when postbacks occur with full context, in a potential hacker attack vector.
If you are talking about multiple page Umbraco Form, you should not be submitting incomplete data to the server surely?
When would you allow an unauthorised visitor to do anything important
Keep bits of context data cached until completion.
Definitely add ReCAPTCHA on Registration forms. Optionally add it on Login forms (ideally appearing only after so many failed login attempts).
If you have a different situation, perhaps like a petition signup for members of the public, then persist your form in session until the final postback and use both ReCAPTCHA and the anti-forgery tokens. This final postback is where you have a context that is 100%, so you could add a ReCAPTCHA but since the visitor is not doing anything insecure, then why bother?
Finally, remember that ReCAPTCHA is to prevent automated scripts from spamming your forms. This won't matter until you are capturing data to persist in the database so no you don't need it on every page. There are other ways to prevent such things (i.e. potential DDOS or injection attacks)
Thanks Chris.
My understanding is that reCAPTCHA v3 tracks website interactions and determines the likelihood of a user being a bot based on the data it gathers. I think this is what is referred to by "context" in the quoted text, and it would follow that having reCAPTCHA v3 present for more of a session would allow it to collect more data - more context - with which to make a determination.
What I'm most interested in hearing about is how community members use the reCAPTCHA v3 with score question type in their multi-page Umbraco Forms. Do they tend to just drop one at the very end of their form as one would with the reCAPTCHA v2 question type? Or do they include one on every page of the form? Has anyone experimented with both, and have they found any difference in effectiveness one way or the other?
The specific use case I have in mind is an application form that needs to be publicly accessible, and multi-page for user experience purposes. reCAPTCHA is desirable because forms on the site have been hit by bot traffic before, and it's available out of the box with Umbraco Forms.
I see but forgive me, because again I ask - what use case would you need to verify multiple form submissions instead of at one point?
You seem to be saying you've already decided to stick ReCAPTCHA v3 on multiple form submissions? This is not how you use them. They look at primarily your browser session to generate a score. Bots don't have things like search historys, or if they do they are detectable.
This is how the score is produced. You seem to be saying "I want to do some unique custom logic - adding up the third-party generated scores - to determine myself if it's a risk". With the callback event of a v3, you'll get a value between 0 and 1.0 indicating risk. You aren't supposed to add them up or anything.
I've worked with v3 on SPAs before and I have never felt like "oh no - a bot could attack these forms and do me damage" so if you can't give a more exact scenario, then what you are suggesting is bad practice. Look at the best practices and please describe how a multi-form application could have those on each of its steps? (carding, fraud mitigation strategy, etc)
It even says you are better using a WAF to mitigate certain threats, not ReCAPTCHA.
TL;DR I cannot think of a scenario where on a multi-page form, you would use ReCAPTCHA because a bot could compromise using the threats. If you are going to implement custom logic with the score then you are invalidating the score by saying "I don't trust this score" which then begs "why use it in the first place". Please describe what scenario you are dealing with, more than just a generic "multi-page form" description.
is working on a reply...