cross-posted from: https://lemmy.ml/post/47972724

i encountered this for the first time today while attempting to read something on archive.today.

i confirmed that decoding the qrcode using a computer and following the URL it contains is insufficient; the error it gave directed me here which is what the linked screenshot is of.

the old type of captcha remains available too, for now:

screenshot of text: Important: Mobile verification for Google Cloud Fraud Defense is an experimental challenge type in Preview. Visual and audio challenges are available as alternatives for users who can't complete mobile verification. To use them, click the Visual or Audio buttons.

  • HeHoXa@lemmy.zip
    2·
    1 day ago

    I’d heard of this strategy, like making it perform some kind of costly encryption that’s irrelevant to a human user but restrictively expensive for a bot army.

    But does decoding a QR code apply? I never really thought about it. I guess it’s an image, it’s at least a little big by comparison… but it’s also in a restricted, easy to capture spot and maybe could be minimized to a fairly small pixel set? Idk how many key pixels you need to parse a QR code… I guess I could Google

    *typo bit --> bot and bit --> big… I’m full of bit

    • Axolotl@feddit.it
      2·
      1 day ago

      Since a QR code is just made of squares, it can be very, very tiny

      1 square = 1 pixel

      • HeHoXa@lemmy.zip
        1·
        1 day ago

        Out of curiosity:

        • version 1: 21x21
        • version 10: 57x57
        • version 20: 97x97
        • version 40: 177x177
    • MrKoyun@lemmy.world
      2·
      1 day ago

      I don’t know much about this new captcha system, but I feel like the challenge wouldn’t really be in the scanning of the qr code itself but more so on making the device you’re scanning with seem legitimate. They could check usage patterns, what apps are installed, how many accounts are added and are they actively used, location and sensor data, are the hardware specifications really unusual, are they constantly trying to complete random captchas… Stuff like that to tell apart a real user’s device from a bot or sandbox. The QR Code is probably just a random ID for which captcha instance the user is trying to pass.

      Also I just realised this but this is probably inconvenient as hell. Like I do NOT want to constantly be picking up my phone to scan QR codes when I’m trying to go around the Internet. What if my phone is on the other side of the house? I don’t want to get up and walk all the way over there! If this gets fully rolled out there may actually be a small dip on the amount of desktop users of websites because they just leave when they are hit wth this captcha instead of bothering to scan a code.

      • HeHoXa@lemmy.zip
        1·
        1 day ago

        Heard. We have a QR 2auth system for one of my work domains, and I let out an exasperated sigh every time I realize I have to get my phone out