So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
show comments
codedokode
Wow. So you will need a mobile device in future to browse the web, and Google will use mobile device identifier to de-anonymize you. And I assume they also carefully designed this to make life little harder for alternative search engines, their competitors. And probably they will not provide collected user data to competing advertising platforms to make them less competitive as well.
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
show comments
devy
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
show comments
orion7
Like many, I've already trained myself to commit to giving up immediately after the second bus or traffic light or puzzle (some of which I don't even understand anymore). Sounds like my life will not be all that different.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
show comments
littlecranky67
I try to keep my phone away from my computer during work to get rid of distractions. OTPs can be done with yubikeys & co., but more and more web services requiring a phone is a step in the wrong direction. Especially since google is using so much tracking, that they can merge tracking data from phone and desktop together.
baalimago
Captcha suggestion: force users to write something offensive/vulgar (we have a few "banned words"). Or to take a stance in Israel/Palestine.
Whatever the response is, it'll unlikely be from an LLM.
show comments
driverdan
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
show comments
xacky
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
show comments
Velocifyer
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
The QR code feature looks like it could be spoofed to become a Pegasus deployment method once people get used to them.
show comments
semiquaver
Serious question: what if you don’t have a (smart)phone?
show comments
koala-news
Feels like we accidentally built a web where proving you’re human now requires approval from 3 different corporations.
PeterStuer
This is just Google competing with Cloudflare in laying the foundation for erecting their toll booths on the internet.
MichaelNolan
I’m trying to use my phone less and less. Ideally I’d like to even switch a dumb phone.
But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.
show comments
rvnx
Making sure that only Google can access protected websites
thekevan
I will STRONGLY consider not using any site that tries to make me do this.
PyWoody
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
show comments
SoKamil
Google clearly wants only Google approved models to traverse the web.
show comments
officialchicken
Protect against bots by shifting the blame and work onto humans? Did they get that idea from Gemini?
akersten
Hmm, that QR code workflow doesn't look very accessible. Can we preemptively ADA this thing out of existence somehow?
show comments
dunder_cat
Is the QR code check mandatory and if not, is it the default?
The bulletpoint as-is just says:
> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Followed by
> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!
danborn26
The constant arms race between bot detection and accessibility is exhausting. I hope this doesn't heavily penalize legitimate users on VPNs.
honzaik
I can't wait to give Google more data about my browsing habits! Seriously, this is insane and everyone who supports this lost the plot.
ACCount37
Prime "drink verification can" bullshit. If you don't have a Google Approved Phone, the solution is to go fuck yourself. But what else would you expect from modern day and age Google?
Traditional CAPTCHA was heading for the graveyard for a while now, because the overlap between the dumbest of users and the smartest of AIs is too severe. But aggressively doubling down on the user-hostile garbage isn't the solution.
basch
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
stupidgeek314
Why can't an AI scan the QR code? Just fire up an emulator if necessary
show comments
davemp
I think it’s becoming hard to ignore that the Internet has fundamental flaws from a game theoretical view. I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
How about we start with some accountability for entities that host fraud? The main reason we can have relative anonymity in public is part trust and partially because you can get physically taken out if you cross the line. I understand there are some real limitations with enforcing accountability on the Internet, but perhaps that’s where we should be focusing.
harrouet
Will it be GDPR-compliant -- contrary to reCAPTCHA ?
high_na_euv
Why when I open google in private mode then I need to solve 10 captchas?
m463
google and cloudflare are becoming the master gatekeepers.
with cloudflare, I cannot use my old browser, I cannot browse many sites without javascript or cookies.
recaptcha? that prevents me from doing business with many sites, let alone browse.
fireant
I don't really get how this stops captcha solving as a service, which is the actual way that scaled recaptcha solving is done? Those things are incredibly cheap and are staffed by humans anyway. Instead of selecting grainy busses, they will just scan the image with their phones.
Asooka
Apart from the horrifying privacy implications, this also means all a bot needs to do to access a website is send a screenshot to an Android device. They made the CAPTCHA machine-readable. It would be funny if it weren't so sad.
bigger_fish
You mean like the Google login QR I can already bypass with an extension? I'm not sure this is a real step forward in the arms race, and I'm cool with that.
mafriese
As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
This is more of an invitation for threat actors than it is something that holds them back.
the mobile phone requirement would mean I end up avoiding sites that use that method. I'm not sure how many friends and family can be convinced, but I can try
. (most people tend to give up any and all security measures if it means getting to see the fluffy kitten though, so my hopes aren't very high)
2001zhaozhao
Inb4 Google 2027: "we sold 30% more Android devices YoY!"
(The extra devices are cheap $30 phones all going into reCAPTCHA solve farms)
x3sphere
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
show comments
mayama
The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
show comments
super256
Looks like Cloudflare has the only user friendly captcha of them all.
zuzululu
Those who don't read articles: Google is pushing QR codes as captcha.
My personal thoughts is that this is fucked. I'm not whipping out my phone to read some blog or comment on youtube.
throwaway85825
Google has a lot of fraud because they have absolutely no standards when it comes to advertising scams and frauds as the first result. Google is a services company for the global crime industry.
sylware
ofc, there is classic web support, aka noscript/basic (x)html?
MASNeo
The efforts by Googles, Meta, TikTok, X and AWS etc. to fight fraud and other financial crimes are probably largely deficient. They earn significant revenue from crime and criminal activity. Compared to banks which are required to prevent financial crimes up to personal criminal liability of employees there are no comparable rules for social media platforms.
How do two service businesses get treated so differently by law?
aboringusername
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
ifh-hn
Can I confirm that this is more shit from Google trying to lock people into their ecosystem (or Apples) under the guise security?
amazingamazing
How are people stopping bots reliably?
show comments
DeathArrow
Does not seem to anyone that Google is wielding too much power over our digital lives and the Internet?
arian_
Google building harder walls against bots while simultaneously building AI agents that need to get through them is peak 2026.
show comments
kajman
This would not have ever been announced while Lina Khan was running the FCC.
show comments
nalekberov
I am almost certain that labs in India and China have already developed a solution to bypass the “Scan this QR” method.
What is easier than pointing a camera at a QR code and commanding and an AI bot to follow the next steps?
walletdrainer
Who are the engineers building this technology? Make their identities known so displeasure about these systems can be delivered directly to those who most deserve it.
greatgib
> we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge.
I'm so pissed off in advance. I hope that Google die and collapse in sudden bankruptcy before we have to support this crappy challenges that are totally user hostile!
ilia-a
Another nail in the web anonymity sounds like
catlikesshrimp
How do I fit TOR in this? Do anonymous users get to use a more anonymous app?
show comments
arewethereyeta
Two mdashes in the first sentence...hmm.
show comments
oybng
just how evil can google be?
LoganDark
Human verification via QR code does not mitigate labor farms.
show comments
ptrl600
Maybe soon there will be a market for a phone specifically for use as a dummy, to get past all this nonsense.
andrepd
We are much MUCH closer to "drink verification can" than to the time that greentext was written. Like many things in 2026, it's beyond fucking wild, it's a parody of itself.
And I don't see it getting better without government regulation. But states are now weaker than corporations. How can we expect them to take charge?
mrguyorama
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
scotty79
"This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable."
The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652
So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
Wow. So you will need a mobile device in future to browse the web, and Google will use mobile device identifier to de-anonymize you. And I assume they also carefully designed this to make life little harder for alternative search engines, their competitors. And probably they will not provide collected user data to competing advertising platforms to make them less competitive as well.
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
Like many, I've already trained myself to commit to giving up immediately after the second bus or traffic light or puzzle (some of which I don't even understand anymore). Sounds like my life will not be all that different.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
I try to keep my phone away from my computer during work to get rid of distractions. OTPs can be done with yubikeys & co., but more and more web services requiring a phone is a step in the wrong direction. Especially since google is using so much tracking, that they can merge tracking data from phone and desktop together.
Captcha suggestion: force users to write something offensive/vulgar (we have a few "banned words"). Or to take a stance in Israel/Palestine.
Whatever the response is, it'll unlikely be from an LLM.
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
As expected, they're bringing WEI back under a different name: https://en.wikipedia.org/wiki/Web_Environment_Integrity
The QR code feature looks like it could be spoofed to become a Pegasus deployment method once people get used to them.
Serious question: what if you don’t have a (smart)phone?
Feels like we accidentally built a web where proving you’re human now requires approval from 3 different corporations.
This is just Google competing with Cloudflare in laying the foundation for erecting their toll booths on the internet.
I’m trying to use my phone less and less. Ideally I’d like to even switch a dumb phone.
But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.
Making sure that only Google can access protected websites
I will STRONGLY consider not using any site that tries to make me do this.
What funny timing: After being hounded with CAPTCHAs every time I tried to search from the URL bar for the past week, not two hours ago I switched everything over to DDG. Great work, Google!
Google clearly wants only Google approved models to traverse the web.
Protect against bots by shifting the blame and work onto humans? Did they get that idea from Gemini?
Hmm, that QR code workflow doesn't look very accessible. Can we preemptively ADA this thing out of existence somehow?
Is the QR code check mandatory and if not, is it the default?
The bulletpoint as-is just says:
> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Followed by
> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!
The constant arms race between bot detection and accessibility is exhausting. I hope this doesn't heavily penalize legitimate users on VPNs.
I can't wait to give Google more data about my browsing habits! Seriously, this is insane and everyone who supports this lost the plot.
Prime "drink verification can" bullshit. If you don't have a Google Approved Phone, the solution is to go fuck yourself. But what else would you expect from modern day and age Google?
Traditional CAPTCHA was heading for the graveyard for a while now, because the overlap between the dumbest of users and the smartest of AIs is too severe. But aggressively doubling down on the user-hostile garbage isn't the solution.
Is this why google was repeatedly telling me I was displaying patterns of being a bot yesterday because I click too fast? I've never gotten the error message as many times as I did yesterday.
Why can't an AI scan the QR code? Just fire up an emulator if necessary
I think it’s becoming hard to ignore that the Internet has fundamental flaws from a game theoretical view. I hope that we can skip the step of having Google as the feudal lord who saves us from anarchy though.
How about we start with some accountability for entities that host fraud? The main reason we can have relative anonymity in public is part trust and partially because you can get physically taken out if you cross the line. I understand there are some real limitations with enforcing accountability on the Internet, but perhaps that’s where we should be focusing.
Will it be GDPR-compliant -- contrary to reCAPTCHA ?
Why when I open google in private mode then I need to solve 10 captchas?
google and cloudflare are becoming the master gatekeepers.
with cloudflare, I cannot use my old browser, I cannot browse many sites without javascript or cookies.
recaptcha? that prevents me from doing business with many sites, let alone browse.
I don't really get how this stops captcha solving as a service, which is the actual way that scaled recaptcha solving is done? Those things are incredibly cheap and are staffed by humans anyway. Instead of selecting grainy busses, they will just scan the image with their phones.
Apart from the horrifying privacy implications, this also means all a bot needs to do to access a website is send a screenshot to an Android device. They made the CAPTCHA machine-readable. It would be funny if it weren't so sad.
You mean like the Google login QR I can already bypass with an extension? I'm not sure this is a real step forward in the arms race, and I'm cool with that.
As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.
A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.
How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.
We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.
This is more of an invitation for threat actors than it is something that holds them back.
[1] https://www.kaspersky.com/blog/what-is-clickfix/53348/
yeah im not doing that
the mobile phone requirement would mean I end up avoiding sites that use that method. I'm not sure how many friends and family can be convinced, but I can try . (most people tend to give up any and all security measures if it means getting to see the fluffy kitten though, so my hopes aren't very high)
Inb4 Google 2027: "we sold 30% more Android devices YoY!"
(The extra devices are cheap $30 phones all going into reCAPTCHA solve farms)
I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.
The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
Looks like Cloudflare has the only user friendly captcha of them all.
Those who don't read articles: Google is pushing QR codes as captcha.
My personal thoughts is that this is fucked. I'm not whipping out my phone to read some blog or comment on youtube.
Google has a lot of fraud because they have absolutely no standards when it comes to advertising scams and frauds as the first result. Google is a services company for the global crime industry.
ofc, there is classic web support, aka noscript/basic (x)html?
The efforts by Googles, Meta, TikTok, X and AWS etc. to fight fraud and other financial crimes are probably largely deficient. They earn significant revenue from crime and criminal activity. Compared to banks which are required to prevent financial crimes up to personal criminal liability of employees there are no comparable rules for social media platforms.
How do two service businesses get treated so differently by law?
I suppose it's now become a default assumption every customer is going to own a smart phone that complies with this requirement?
It seems on iOS you'll even need to download an application, which is quite a bit of friction.
In the current economic times, adding minutes onto the user journey is not going to result in increased sales, I suspect the data will prove the opposite.
Using a mobile device is bad enough as it is: TOTP, email, SMS codes, 3DS etc, while you can say this is part of the "flow", it's too much. I can see many abandoned journeys from this.
Can I confirm that this is more shit from Google trying to lock people into their ecosystem (or Apples) under the guise security?
How are people stopping bots reliably?
Does not seem to anyone that Google is wielding too much power over our digital lives and the Internet?
Google building harder walls against bots while simultaneously building AI agents that need to get through them is peak 2026.
This would not have ever been announced while Lina Khan was running the FCC.
I am almost certain that labs in India and China have already developed a solution to bypass the “Scan this QR” method.
What is easier than pointing a camera at a QR code and commanding and an AI bot to follow the next steps?
Who are the engineers building this technology? Make their identities known so displeasure about these systems can be delivered directly to those who most deserve it.
> we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge.
I'm so pissed off in advance. I hope that Google die and collapse in sudden bankruptcy before we have to support this crappy challenges that are totally user hostile!
Another nail in the web anonymity sounds like
How do I fit TOR in this? Do anonymous users get to use a more anonymous app?
Two mdashes in the first sentence...hmm.
just how evil can google be?
Human verification via QR code does not mitigate labor farms.
Maybe soon there will be a market for a phone specifically for use as a dummy, to get past all this nonsense.
We are much MUCH closer to "drink verification can" than to the time that greentext was written. Like many things in 2026, it's beyond fucking wild, it's a parody of itself.
And I don't see it getting better without government regulation. But states are now weaker than corporations. How can we expect them to take charge?
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
"This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable."
Oh, you sweet, summer child.
Thanks for sharing