The issue basically was, today Cloudflare insisted on imposing a captcha on any of my login attempts. Usually reCAPTCHA does not prompt one when logged in with a Google account, this time however it insisted on a captcha being solved.
Usually this still disappears after a reload or two, but today Google got suspicious straight away and barred me from solving a captcha in general, effectively keeping me from logging into my Cloudflare account, which did not only affect the community login but particularly the dashboard login. Fortunately I did not need to connect to the dashboard
Recaptcha is a necessary evil to be honest. Even with a JS browser check, someone could just run puppeteer to programmatically act like a browser and click and send keyboard events to the email/password box (example), and running self-made captchas are usually easy to OCR unless you have a dedicated team constantly changing and tweaking the captcha algorithm.
There is a difficulty selector in the recaptcha admin - it may be likely CF increased it because they saw spam/brute force logins coming in.
I am not. If it was only for the dashboard Iād activate it, but being linked to the forum I dont feel like fishing out the the phone all the time when logging in.
True, but to be fair it usually doesnt bother you if you have a session for a Google account. Yesterday was the exception, particularly with the subsequent locking out.
Just to be clear, I was not talking about the challenge captcha when accessing a website, but about the login captcha. I was effectively locked out of my account the whole day.
That might be the case.
I guess Cloudflare might have reached a point where they could pull off their own captcha, which they have full control over and where they do not have to rely on a third party.
They do and if stayed logged in it wouldnt be an issue either, but I am one of those tin foil hats who has the browsing data purged when the browser closes
Recaptcha can really be annoying as ā ā ā ā sometimes. Iād say in 50% it lets me through, 30% is 1 test, but the last 20% are REALLY testing my patience with Google. It is completely unnecessary to let me solve like 10+ challenges.
Captchas in general are annoying but I understand their necessity, my main concern here is when Google insists on solving the captcha (even though I am logged in with a Google account) and, in particular, when Google blocks me completely. The latter effectively locks me out of my Cloudflare account.
I can only confirm what other already said, adding that recaptcha seems completely broken for many people right now.
From the same static and non-shared IP, I have completely different trust scores in the morning than in the afternoon. I see different trust scores between Chrome and Firefox. Even worse, when Iām logged into my Google account, 4 out of 5 times I have a terrible trust score (making it nearly impossible to complete the captcha), while I am more trusted when Iām not logged into the Google Account (where Iām registered with all my personal data, including verified credit cards). And yes, I mean it that way, not the other way around (which would be logical for a captcha service).
You can check out this link to see the current trust score: https://recaptcha-demo.appspot.com/recaptcha-v3-request-scores.php
Try with different browsers and with/without Google Account login.
I used to use the Incognito mode of my browser to avoid having to logout from my Google Account, for the sake of solving recaptchas. I now switched to Firefox with Multi Container to restrict Google/Facebook accounts from interfering in other websites, so I donāt need that any longer.
Recaptcha Googleforums and support are basically useless, no one relevant ever responds to any problems.
And no, the IP space I am using is not in any way dirty or blacklisted, it is a completely clean RIPE assigned IP subnet (I am a senior network engineer with that LIR). Itās not new either. And I can see people all over the place having the same problems, even outside of this network.
It is my strong opinion that recaptcha has become a totally unreliable service. Thatās unusual for a Google service, but it is what it is.
I suspect the reason they donāt just use a JS browser check is that JS browser checks are getting cheap to perform - Currently using puppeteer, you can bypass the āunder attackā mode interstellar page since youāre running a complete chrome JS engine. the only reason this isnāt an issue for most Cloudflare customers is that the cost of running chrome to DDOS a web server is fairly expensive and takes more CPU/resources than itās worth.
However, when you factor it logins and the potential to destroy infrastructure or brute force passwords, the ROI for a chrome attack is much greater. Sure, youāre wasting a lot of resources running a full browser, but if you brute force your way into an account you could cause millions in damages or pivot to other systems with the password you just guessed.
This is why ReCaptcha is a thing. Scoring based on how ātrustworthyā a google account is, how human-like the mouse movement is on the page, and how often itās hitting the captcha is the only proven way to defend against these attacks. I agree that ReCaptcha isnāt perfect, but, at least for now, there are no real alternatives that match up to ReCaptchaās level of overall success.
My only suggestion for a solution to the problem is a āmagic linkā system like Tumblr uses. When trying to log in youāll receive an email containing this āmagic linkā that removes the need to log in with a password at all and bypasses any Captcha checks since youāre now relying on the email providerās security.
I agree with your points, but unfortunately it does not solve the issues I am having with that setup. The problem with reCAPTCHA is you are at the mercy of Google. Something like the issue mentioned above (a Google account having a lower score than anonymous access) should never happen and can effectively lock you out of your Cloudflare account (and actually did so).
Medium uses the same approach (even though they couple even that with reCAPTCHA) and that would be a viable solution in my opinion. If Cloudflare could adopt that (or offer it additionally) without the reCAPTCHA āinsanityā it might be just the fix I was looking for