The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652
So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
> No mention of device integrity verification yet
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
> I expect that it will initially not use it
it's boiling the frog method. Moving too fast means backlash, but a slow, step by step transition where each step seems reasonable, but ultimately end up with a locked down device, is how they aim to achieve it. And people would be too lazy to complain until the last few steps, by which time it would be too late.
Good metaphor. On the one hand, Google increasingly cooperates and makes deals with militaries and governments. On the other hand, it increasingly locks down its customers and eliminates their privacy and freedoms.
Google has just about got the pot boiling. They win, we lose.
FWIW, “boiling the frog” is the example of false reasoning about slippery slopes (the frog in actuality always left)
Your larger point still stands though of normalizing changing expectations by slow degrees
Not really - i would prefer that any policy change that _could_ be utilized in the future to enable future draconian changes be killed before it takes root.
I want a system, like type safety, to guarantee that XYZ cannot be possible, rather than rely on civil jurisprudence and active opposition to prevent it. We don't have that today, but i like to have it.
There is already so much backlash. If I ever use a recaptcha, I will have Google Gemini solve it wasting Googles compute and messing up the dataset.
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
They said "capable of Play Integrity attestation". It's a weasel statement. If you have GMS, you're capable of performing PIA attestation, you just might fail. So it's strictly true, but doesn't tell us anything about whether it requires PIA.
And you must be signed in.
I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.
I get this all the time with Brave, and especially in Private Windows. It's the number one reason I don't use Google Search anymore. I've used Brave search for a while, what do you use? Do you have a way to prevent the captchas?
I get it all the time on my Mac with Safari using iCloud private relay
> And you must be signed in.
I don't see any mention of that? Google Play services work fine without an account (although if you're the kind of person who doesn't sign in to a Google account on their Android phone, you're probably running a custom ROM or something)
Until now, I have never run "a custom ROM or something", but just the Android that came from the phone vendors and its updates.
Nevertheless, I do not have a Google account and I do not intend to have such an account.
Of course, this means that I cannot install any app from the official Google store, even if it is a free app. The requirement to login into your Google account should have existed only for payments, not for downloading a free app, but nonetheless Google does not work this way.
I already had problems with a bank that has terminated its Web-based online service, replacing it with an app that they refuse to provide for downloading, so that I could install it without having to open a Google account. Therefore I have also terminated my accounts with that bank.
I hope that this behavior will not spread to all remaining banks that still have Web-based online access.
You could try aurora store with anonymous accounts, though that has the problem that other people may be able to see the apps you install.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
Google is mostly interested in abuse that happens beyond the scale of how many $30 phones you can buy.
They're mostly interested in having a complete record of all users' internet activity tied uniquely to their identity.
I'm expecting a pretty hard identity verification requirement to connect to the internet, which should solve for the burner phone thing.
Google is interested in, like other tech companies, identifying users by tying them to their phones. Other ai defense companies are trying to get photos and IDs. This is just another take on the same subversive activity.
This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.
Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
I guess history made us different. Personally I have reasons to be equally distrustful to anyone who wants to know too much about me, but much more afraid of my gov't than overseas entities.
In this specific case, why fear the government?
My government has already seen my government-issued ID. If my government hasn't worked out my phone number, they can always ask the phone company. My address is required for the ID, voting, and filing taxes. I don't see how the government learns anything from this?
Conversely, I would like to believe most companies do not have my government-issued ID, nor a lot of the information on it.
In this specific case your government can ban you from the web by refusing to verify. E.g. to punish dissidents abroad Belarusian dictatorship simply nullifies their IDs, and lists them as terrorists in public data. Apparently that's enough to ruin somebody's life worldwide. But at least they can use their browsers, which would be not that easy in a world where gov't-backed verification is norm on the net.
From an American perspective, i don't trust the government with the implementation details, nor do I trust our political climate, misaligned incentives, and general disinterest in good governance to implement something so sensitive.
If I lived in say, Sweden, I feel much more comfortable trusting their government to implement. In America, I feel I must always vote in a way that prevents giving any power to the government that I wouldn't want my political opponents to have over me.
In said US of America, when the government wants to know something about you, they will get everything they want from the companies - it's even written clearly in the US laws. So I'm not sure why (or where) you draw that line...
1. if they have to subpoena each site each time they need user data, it reduces mass surveillance risk. I'm okay with cops getting a warrant to access someone's gmail. I'm not okay requiring everyone to use email.gov.
2. I use a VPN and pseudonyms. they could unmask me if they cared to, but it'd be annoying. it'd be a lot more annoying if they wanted to unmask every VPN user all the time.
Being available as part of Google Cliud means subpoenaing Google is probably sufficient for most web sites.
the grass is always greener on the other side
> My government has already seen my government-issued ID.
If you have a government ID and all you use it for is voting and paying taxes, then they know that you vote and you pay taxes.
If you have to use it for accessing the internet then they know everything you do on the internet. What you read, who you talk to, what you post, when you sleep, where you are at any given time -- it's very much not the same thing as just having a picture of you and your name.
No they do not. A properly designed government app that uses cryptography to generate a deniable token that can't be cross-correlated but proves your humanity/age to a consuming site is manifestly different than Google adtech hoovering up as much of your activity as possible.
> A properly designed government app
Oof, that's not a great premise to take as a requirement right out of the gate. More counterexamples than examples for that one.
> that uses cryptography to generate a deniable token that can't be cross-correlated but proves your humanity/age
If it's actually deniable/anonymous then how would it work for rate limiting? If you can't correlate their activity then you don't know if the million requests are a million people or one bot with a million connections. If you can correlate their activity then it's not anonymous.
Moreover, it's a false dichotomy that we should be doing either of these things. The better alternative to corporate surveillance isn't government IDs, it's no surveillance.
A site can still choose to have a login system if it wants to. Sites can still rate limit based on IP address or cookies or whatever they use today.
The idea would be to use ZK proofs to demonstrate that "yes, this anonymous request is from a client acting on behalf of an adult human EU citizen" - that's something that is not easy to do today.
> A site can still choose to have a login system if it wants to. Sites can still rate limit based on IP address or cookies or whatever they use today.
So then you don't need either attestation or government IDs, right?
> The idea would be to use ZK proofs to demonstrate that "yes, this anonymous request is from a client acting on behalf of an adult human EU citizen" - that's something that is not easy to do today.
But how is that even useful? Is it good to exclude real people from Korea or South America? Do we really expect criminal organizations or for that matter even children to be unable to find a single adult EU citizen willing to anonymously loan them an ID?
It's about as plausible as criminals being unable to run their code on a device that can pass attestation. They're both authoritarians with a conflict of interest trying to foist a hellscape on everyone under a pretext their proposal can't even really address.
> It's about as plausible as criminals being unable to run their code on a device that can pass attestation. They're both authoritarians with a conflict of interest trying to foist a hellscape on everyone under a pretext their proposal can't even really address.
How is the system proposed by GP authoritarian? It's not actually giving away any real PII. We could just argue that it would make Internet less usable for "illegal" immigrants who don't have a Gov ID - whcih can be seen as a problem already in itself, but still doesn't make that solution "authoritarian".
You're moving the goalposts. I was responding to your claim that any verification system involves the government getting a complete record of all online activity.
If you're willing to admit this is entirely possible from a technical standpoint, there's a separate question about how useful/valuable it is.
Making it harder for children to access extreme pornographic or violent content seems useful to me. Many advertisers want to be able to say they've shown ads to a human not a bot. Humans in WEIRD* countries have more valuable eyeballs than humans in the developing world.
If you don't solve for those use-cases in a privacy preserving way, adtech will do it in an intrusive way - which is what Google are doing in the OP.
*"Western, Educated, Industrialized, Rich, and Democratic"
I have not seen any government adopt such a standard.
some EU countries claim to provide anonymous age verification services, but those only hide your identity from the relying party. the site you visited is logged to the government's database along with your identity, before you're redirected to the target site with an "anonymous" token.
> the site you visited is logged to the government's database along with your identity
Is that true, or are you spreading FUD? Because the system in question is not even live yet, it's only had experimental releases.
They could do it like that, but they won't do it like that, because tracking the population is a feature not a bug
I'd rather have no ID verification at all. Give them an inch and they'll take a mile.
Same, I've never seen any app or website where an ID registration would make sense. No thanks.
one of these also rounds up people and sends them of to overseas concentration camps without due process. I think maybe white people still don't get what the rest of the world is living or experiencing.
One of them pretends to hold elections.
Does it only count as an election if one’s favorite side wins?
What if neither side represents your interests? What "election" is there in that case?
There's more than two sides here. None of the 14 parties with >1 seat in parliament fully represents my best understanding of how to improve the country and world on any time scale (long or short), but quite a few of them come reasonably close and I would vote for them without much hesitation
(Heck, I wish there were fewer parties, like if five single-topic good parties (bij1 against racism, pirate party for internet freedoms, volt for international collaboration, party animals for environmental welfare, etc., plus greenworkersparty as the current overarching big boy) would band together, it'd be a much easier choice!)
That not every country is so lucky (not all of them have free elections, or elections at all) is a shame indeed, but at least for countries like mine I'd be much happier to have a government arrange a system than a tech corporation and foreign laws. Presuming that the 2-party system you speak of is the USA's, at least both corps are governed by your own laws, that's something!
Simply live somewhere that doesn’t have a broken electoral system.
Like the Moon or Mars? The power is not something for the people for free.
Some Western European democracies have a well-functioning democracy. The people voting are still humans, a substantial portion votes for racist parties that economically only benefit big corporations and not them, but the damage is limited because there is no winner-takes-all. Everyone has to accept compromises.
> Some Western European democracies have a well-functioning democracy.
Which ones?
Can you candidate yourself in that election?
I'm sure many are tempted to dismiss this comment, but I think it's actually great. It's incredibly easy to complain about the options out there, really easy to vilify any or all of the parties as controlled by satan/evil corporations/communists/fascists.
What's harder?
Convincing enough people to matter (in some kind of election-based system) to get behind your platform - either with you as a candidate, or working to promote a candidate or party or movement that you do believe in.
People talk like their changemaking ideas are very widely held - the way people talk it's like they believe 75%+ of the country must actually agree with them - but then they don't run for office on such a popular platform that it should be a sure election win, yes even with countervailing forces such as electoral college, Senate, etc.
Which public corporation do you think doesn't hold elections?
Google. The Class B stock setup means Class A shareholders are shouting into a void.
Sorry, I trust Google more than my government for my data. I mean I trust photos, youtube, music, gmail, wallet, keep, etc. what is that I have left anyway? It's sad that we started from open web, but we ended up in the hands of few. Apple/Samsung, Google, Microsoft, Amazon decide basically how I live my life. I don't want to (and sometimes I try to hard), but I don't want to give up the convenience also, but not only mine, also for my family is in the same pot.
Google will comply if your government needs information on you. Are you sure your trust isn't misguided?
Given the chance, Google would kill you by accident.
"We're very sorry, your access to G-Pacemaker was accidentally revoked when your accounts were closed for suspicious behavior after watching a YouTube video without subtitles in a language we hadn't realized you were learning. Unfortunately, there no is appeals process as your heartbeat was terminated immediately."
"As part of our mission to enable a safe agentic web" drew an immediate swear from me.
What's happened here is yet another massive negative externality from AI. Because AI is such a fraud enabler, Google are now using that as an opportunity to end the open internet and competition in operating systems.
I'd much rather go the other way and make the AI wear identification. Crack down on both corporate and unlicensed AIs.
Edit: and of course it's also advertising killing the web, because the fraud in question is ad fraud. Need to force it into human eyeballs, not bots.
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
But what's the alternative? Sites need a way to prevent bots overwhelming them, and there's no perfect way to distinguish real users from bots.
One alternative is to make simple, efficient, and where appropriate even static sites that can scale to meet the demand.
The HIBP hashes distribution is a great example.
That doesn't really help if the same Huawei bot keeps re-requesting a bunch of 600 KiB JPEG from 120 rotating IP addresses with random crap at the end of the URL, like what happened to one of my servers. Efficiency doesn't really matter if you're getting hammered by bots.
I ended up aggressively IP blocking all of China, Singapore, and a few other East-Asian countries once I noticed that blocking server IP addresses just made the botnet switch to residential IPs. I didn't switch over to Cloudflare, but now a couple billion people can't read my website, which is arguably worse (but cheaper).
Also, a handful of people seeing an annoying checkbox is hardly a reason to re-architect an entire website. I am as opposed to Cloudflare taking over the internet as any sane person, but the usability story isn't really an argument for that kind of time investment.
The alternative to Cloudflare isn't some magical system that works for everyone but bots, it's hard-blocking IP ranges on the network level for anyone who doesn't fit the "normal" user profile.
Try using anubis. It uses a PoW challenge to make it not make economic sense to scrape websites.
Anubis is trivially bypassed by anyone that cares to bypass it. All it does is inconvenience real users with niche/older/extended browsers or those who take basic precautions against tracking and malware.
“Demand” has very little to do with any of the problems bots cause on the internet today.
What are "bots"?
If I use Claude to gather and summarize information for me, is that a "bot"? Because I recently hit that wall and it wasn't great. Turns out in our quest to fight "bots" we also force humans to do the manual labor of copy/pasting information.
Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
The alternative would be tar traps that only a bot would “see” and interact with and thus be caught by. Default to annoying machines not people.
Your idea works for generic crawlers.
That doesn't work for targeted bots. A major benfit of device attestation is to stop the hordes of custom bot creators who try all sorts of ways to make a buck off of your platform such as sms toll fraud, credit card testing, ad fraud, account takeovers, stolen card laundering, gift card laundering, botting for pay for platform / ecosystem benefits, paid harassment, the list just keeps going.
Some aps such as okta, banking, and others already check platform verfication. Websites can't currently until device attestation.
Personally, I hate the concept, but I also hate spending a large amount of time fighting mal-actors on my platform in a completely unbalanced fight. There are tons of them, and they have all the profit incentive. There's a few of us, we only take losses. They can lie all they want, we can't really trust any facts except kinda the credit card and the device attestation.
Like everything, it's a shitty compromise, but, as a platform runner, if I can leverage google's signal and cut 95% of my malicious botting users, guess what I'm going to do.
> A major benfit of device attestation is to stop the hordes of custom bot creators
Attestation is extremely ineffective at preventing this because it requires attackers be unable to compromise their own devices, even when they have permanent physical access to the hardware and can choose which model to buy and get devices known to be vulnerable.
For example, CVE-2026-31431 is from only a week ago. It's a major local privilege escalation vulnerability. If you can run unprivileged code you get root. How many people have Android phones that can pass attestation but will never see the patch because the OEM has already abandoned updating them? Tens of millions, hundreds of millions?
Attackers can trivially get root on a device that passes attestation. Many devices even have vulnerabilities that allow the private keys to be extracted.
The main thing attestation actually does is beset honest users who just want to use their non-Android/iOS device without getting a million captchas, because they chose the device they wanted to use as a real human person instead of doing as the attackers do and choosing a device for the purpose of defeating the attestation.
And it's easy to confuse this with real effectiveness because whenever you roll out any security change, the attacks may subside for a short period of time as the attackers adapt to it. But that's why it makes sense to avoid things that screw innocent people or entrench monopolies -- while the temporary effectiveness wears off, the screwing becomes permanent. Meanwhile spending the same resources on any other method of shuffling things around to make them adapt will give you the same temporary effectiveness without hurting your legitimate users.
But what's the alternative to shops strip searching you every time you want to buys something? Shops need a way to prevent looters overwhelming them, and there's no perfect way to distinguish real shoppers from looters.
One solution is to leave a deposit worth more than anything you could loot. What that means in the computing world is those silly browser-based crypto-solvers.
PoW challenges that make bots not viable.
You mean a la Anubis? But people also seem unhappy with that; and in any case Anubis is designed to stop ai crawlers; it doesn't work against a targeted crawler or a targeted dos attack.
You're right, we need big tech to protect us from the problems big tech created.
In the olden 20th century, we had a term for that...
You know that protection racket where the mobster came to my corner store and says if I don't pay him he will come later and rough me up? This is a worse deal than that.
Better turn on that 'free' Cloudflare 'bot' protection. Would be a shame if our, ahem, I mean, those botnets ddos'ed your site.
this is the modern version of that.
Whats your argument
mCaptcha, ALTCHA, Cap, Friendly Captcha, Private Captcha, Procaptcha, Anubis... there are literally dozens of open source alternatives that aren't feeding the Do Be Evil company... not to mention all of the commercial alternatives - if for whatever reason, you do feel like paying for a service that costs nothing to offer
Gen off it. Fraud detection is nontrivial and requires ongoing effort. It’s reasonable for people to be compensated for that.
CAPTCHAs are not fraud detection and not an ongoing effort
[dead]
Maybe ai companies should have invested any of those billions of dollars into safe and equitable ways of rolling out their new surveillance machines. Oh right that was never the point and this only serves to further that. Got it.
I think they'd be OK w/o the surveillance machine part of it, but they have never seemed to care about anything besides advancement of the tech or its side projects.
I can imagine a world where they were fighting for displaced workers, for Altman/Elon-suggested UBI/universal "high" income plans, and where they'd compensated those in the training set, and cut deals with publishers & content creators instead of scraping anything they could get their hands on. Would they be unpopular?
reminder that any company which has a legal obligation towards you (GDPR requests, refunds, filling a complaint etc) can be contacted directly and forced to do it manually if you cannot use their web interface due to being blocked by Cloudflare & other captchas
Yep.
I learned yesterday you can’t sign in to Cursor on Brave Browser. Had to switch to Safari. This is only going to become more and more common.
... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.
I know, people will slavishly knuckle under, but let me dream for a few minutes.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
> press win+R ctrl+V
LOL is this real?
I guess yes, because yesterday ReCaptcha asked me to screenshot a QR-code with the mobilephone :-D
It’s a common thing for malware. But people are going to be more likely to fall for it when mainstream sites ask you to complete weird tasks with your phone to verify your identity.
People are constantly made to jump through strange hoops to do things on the internet. Unless you're really keyed in to what's going on, it's easy to fall for stuff like that.
It is. There are fake Cloudflare CAPTCHAs on pwned Wordpress sites that instruct users to run Powershell scripts.
Yeah, this is going to turn into another malware vector, isn't it?
Discord has a feature where you can log into your account on your PC by scanning a code on your phone.
So does Binance.
Those are good things though? They’re about logging in, on purpose.
Not about attesting to Google that you have a proper smartphone as a proxy for your humanity, like this thing.
To prove you're not a bot, scan this QR code with Discord.
But none of those options are requirements to access the service.
They're requirements to access my website though! To prove you're not a bot, scan this QR code - with Discord.
So does Signal.
But Signal is secure(TM)!
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
It's almost like some people aren't IT hobbyists.
I'm not a heart surgery hobbyist, therefore I don't chop people's chests open, no matter who suggests it.
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w. Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
Ditch Google Search as well then, use something like SearXNG or another meta-search engine. You'll get more representative results, no tracking and no captchas. Sometimes some of the engines may return captchas but they're kept from the search results, i.e. those engines don't get used for the query. You can run your own instance of SearXNG or one of the alternatives or use one of the available public instances, your choice. The fewer direct interactions with the likes of Google/Apple/Microsoft/etc. the better.
The thing is even a contact form without something like reCaptcha is doomed on today's web: spam all day.
If it's just a contact form on some random site that isn't particularly valuable to spammers, a bespoke solution like hidden input fields, obfuscation, or some kind of token calculated client-side by JS will probably work just as well.
That used to be the case, unfortuantely today even bespoke solutions can be completed by automation - any anything that just requires running JS in a headless browser was ineffective for a long time already.
> but the writing is on the wall.
Only if politicians are still corrupt and law enforcement doesn't work.
Which means the writing is on the wall.
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
“On an infinite timescale, I’m eventually right, so it never makes sense to not heed my advice” is silly. We’re all going to die eventually so it’s not worth browsing the web on any device.
Smartphone is just a small computer. I don't see hiw what you say makes sense.
It's a small computer that I don't really control with a horrible UI, horrible privacy, and nothing but perverse incentives. ("download the app!")
You need LineageOS or GrapheneOS
Or Mobian, or PureOS, or postmarketOS.
Sounds like Windows
And Mac
There’s no going back unfortunately. There’s no world where smartphones go away barring a new tech as significant and useful as a smartphone.
Why are you so sure? Have a look at Librem 5 and Pinephone.
I’m familiar with projects like them. I just don’t think any of them are going to break through in a meaningful way anytime soon, if ever. They have very niche markets. I hope they are always an option though.
No surprises here, though of course disappointment when it comes to fruition.
Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?
This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.
Investigate the anti-bot sellers.
[dead]
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
CTAP2 requires Bluetooth but I'm not seeing any mention of that protocol here? It wouldn't really solve the "are you a human" thing, because you can just implement your own CTAP2 protocol handler if you wanted to write a bot.
I think the phone will just do basic remote attestation and then do a POST request to Google. Still not exactly difficult to bypass for anyone with a dollar to throw at the click/ad fraud farms, though.
My desktop doesn't have Bluetooth. Does this mean I'd be doomed even if I had a compatible mobile device?
I also disable Bluetooth on my phone every few months (and never enable it)... or at least after every CCC or such.
We might need to redo this whole Internet thing because this is insanity.
Maybe it’s time to get in to Ham radio or some other hobby
Yes. The technical name for this FIDO2 QR code flow is caBLE (Cloud Assisted Bluetooth Low Energy).
In a free market, the content provider is free to put whatever guardrails they feel appropriate. Loginwall, Paywall, CaptchaWall.
If you don't like that provider, you are free to pick another.
I'm not 'free' to pick another government site. There is only one.
1. Free markets do not exist
2. If free markets did exist they would not conform to the theory that people are using when they think of what free markets are, since people do behave rationally, power dynamics are real, and no consumer can have all of the information needed to make rational decisions even if that information were available
3. The market is providing solutions to its own failures without fixing the underlying failures because it is more profitable this way. Is buying something from a company that mitigates a problem created by the same company actually a free market, or is it just extraction?
In passkeys the bluetooth is used for the actual authentication protocol...
Sometimes, sort of. Most passkey usage doesn’t involve bluetooth. When it does, there’s no real data being sent over bluetooth, just a meaningless hash that can be confirmed using a secret inside the QR code.
So really, it’s like I said, Bluetooth is used to make sure that the device consuming the QR code is actually near the device that’s displaying the QR code.