I've used Google ReCAPTCHA v2 for signups and logins but I'm at a loss with v3. I'm uncertain about how to set the threshold and what steps to take when a request doesn't pass. The default value is set to 0.5 in my better-auth setup. Is that a good or bad threshold? What does everyone do if a request fails? Should I revert to showing the v2 challenge?
3 Answers
A lot of developers struggle with the threshold in v3, and it can be a real issue. With a strict threshold, decisions become too binary, potentially locking out real users. Consider looking into Friendly Captcha, which adjusts the difficulty of its challenges and respects privacy regulations. This could be a great alternative if compliance with GDPR or CCPA is a concern for you.
ReCAPTCHA v3 operates more subtly than v2; it judges users quietly based on their interactions. A threshold of 0.5 is quite standard, but you can tighten it (like 0.7-0.9) for fewer false positives, or loosen it to around 0.3 if you're okay with catching more bots. When someone fails, using v2 as a fallback is a solid option, but if you're feeling confident, you can reject them outright.
If you're stressed about finding the right threshold with Google ReCAPTCHA v3, consider switching to Cloudflare Turnstile. It automatically adjusts the challenge difficulty based on the user's risk profile without you dealing with complicated score-handling.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads