So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
The attestation will include a unique ID of the phone, so that if you get banned you have to keep buying new phones and keep paying money to Google. Google won't stop this because it makes them money.
And the official Google OS just won't feature remote-control software.
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.
The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652
So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.
> No mention of device integrity verification yet
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.
Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.
I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.
I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.
... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.
I know, people will slavishly knuckle under, but let me dream for a few minutes.
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
Yeah, this is going to turn into another malware vector, isn't it?
Discord has a feature where you can log into your account on your PC by scanning a code on your phone.
So does Binance.
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
I’m trying to use my phone less and less. Ideally I’d like to even switch a dumb phone.
But tactics like this will make that nearly impossible if every website starts requiring a QR code scan on a authorized smartphone.
Google building harder walls against bots while simultaneously building AI agents that need to get through them is peak 2026.
It’s the same thing with Sam Altman and Worldcoin: create the problem, then sell people the solution (which also just so happens to shred more privacy). Play both sides and profit; it’s great work if you can get it.
With the apparent competence that built Gemini, I have zero faith in Google building or doing anything that works anymore.
They're expecting everyone to whitelist Google agents because Google has the market share for people to complain if Google agents don't work.
Point On! Probably done by two different teams, who don't know about each other. I hate this (re)captcha so bad. They assume everyone is bad.
Human verification via QR code does not mitigate labor farms.
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
Where is this specified? I don't see that in TFA.
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
Google clearly wants only Google approved models to traverse the web.
The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
... You... think... it would be a good thing.
Don't you...
How are people stopping bots reliably?
Why can't an AI scan the QR code? Just fire up an emulator if necessary
Bluetooth is generally used to prove that the two devices are co-located, which makes it more complex to do your proposed kind of deployment at-scale. Bespoke solutions could perhaps work around for some smaller number of devices, this QR code layer by itself isn't intended to stop 100% of workarounds.
No browser supports Bluetooth.
Chrome does...
The app that scans the code talks to the TPM in your phone to prove that your phone is running an unmodified Google OS.
I know that's the final destination, but I didn't see that listed in the requirements page linked above. Any proof of this affecting the current implementation?
Which would be meaningful if phones weren't remotely controllable.
So the net effect is every AI agent will also have and connect to a physical phone.
The attestation will include a unique ID of the phone, so that if you get banned you have to keep buying new phones and keep paying money to Google. Google won't stop this because it makes them money.
And the official Google OS just won't feature remote-control software.
... which is why you'll get locked out if you happen to visit an unusual number of sites in a day.
Google and the reCAPTCHA network aren't even that good with fraud prevention. You would think being literally omniscient over the whole internet would make it trivial to catch account takeovers, and Gmail has a proven track record at resisting account takeover, but when we tried to integrate their fraud signals, they were worthless, worse than the rest of the industry, worse than our homegrown trash from a decade ago.
Because Google doesn't actually care about preventing fraud, they just want the data you feed them and the fraud feedback you provide. It's all take, no mutual business.