This page explains how to use Fraud Defense features, such as
Multi-factor authentication (MFA) and Password defense, by migrating your existing reCAPTCHA
integration from the legacy SiteVerify method to the CreateAssessment method.
Migrating to the CreateAssessment method involves instrumenting the web pages and migrating the backend calls.
Explore Fraud Defense features
After you migrate to using the CreateAssessment method, you can use additional Fraud Defense features, such as
the following:
- Account defense: Helps you protect user accounts from compromise and fraudulent activities, such as account takeover (ATO) attempts.
- Transaction defense: Helps you protect payment transactions from online fraud, such as carding attacks and use of stolen payment instruments.
- Password defense: Lets you check if a username and password combination that is provided by a user has appeared in a known data breach or password leak database.
- Multi-factor authentication (MFA): Helps you verify your users' identities by sending a verification code by email.
Instrument the web pages
To instrument the web pages with the correct reCAPTCHA scripts and calls, do the following:
- Verify that you have the following script included in your web pages:
https://www.google.com/recaptcha/api.js. In your web pages, replace
https://www.google.com/recaptcha/api.jswithhttps://www.google.com/recaptcha/enterprise.js.If you programmatically invoke the API, then replace the following calls:
grecaptcha.execute()->grecaptcha.enterprise.execute()grecaptcha.getResponse()->grecaptcha.enterprise.getResponse()grecaptcha.ready()->grecaptcha.enterprise.ready()grecaptcha.render()->grecaptcha.enterprise.render()grecaptcha.reset()->grecaptcha.enterprise.reset()
Migrate the backend calls
To use Fraud Defense features, you must migrate your backend calls to the new endpoints and set up authentication:
Replace backend calls to
https://www.google.com/recaptcha/api/siteverifywith equivalent calls torecaptchaenterprise.googleapis.com. For the complete URL and the POST data format, see Create an assessment for your website.Set up authentication to reCAPTCHA.
The authentication method you choose depends on the environment where reCAPTCHA is set up. The following table helps you choose the appropriate authentication method and the supported interface to set up authentication:
Environment Interface Authentication method Google Cloud - REST
- Client libraries
Use attached service accounts. On-premises or a different cloud provider REST Use API keys or Workload Identity Federation. If you want to use API keys, then we recommend securing the API keys by applying API key restrictions.
Client libraries Use the following:
- For Python or Java, use API keys or Workload Identity Federation.
If you want to use API keys, then we recommend securing the API keys by applying API key restrictions.
- For other languages, use Workload Identity Federation.
What's next
- Create an assessment for your website
- Monitor reCAPTCHA keys
- Detect password leaks and breached credentials
- Detect and prevent account-related fraudulent activities on websites
- Protect payment transactions with Transaction defense
- Configure multi-factor authentication