Enabling CAPTCHA

A CAPTCHA is an automated means of determining whether a user trying to log in or sign up to the system is a human or a malicious "bot." Impexium is configured to utilize reCAPTCHA version 3, which determines the user type via mouse movements and does not require an additional challenge (such as re-entering text or selecting images).

To enable CAPTCHA:

  1. Log in to https://www.google.com/recaptcha/about/ via the Admin Console.

  2. Click the option to Add a new site domain.

  3. In the register new site form, create a Label for the new site and select reCAPTCHA version 3.

    Note: Impexium is configured to use version 3 as it is non-intrusive and more friendly to visually-challenged users.

  4. Under Domains, enter the domain name for your Impexium site.

  5. Accept the terms of service and click Submit.

  6. From the next screen, obtain the Site Key and the Secret Key.

  7. In Impexium, navigate to the Configurations App > Settings.

  8. Locate the reCAPTCHA Google Secret Key and reCAPTCHA Google Site Key fields. Enter the site and secret key obtained in step 6 above and save changes.

  9. Under the Configurations App > Settings, locate the Enable CAPTCHA [...] settings and choose whether to enable CAPTCHA for the login page, the signup page, or both.

  10. Save changes.

Repeat these steps to set up multiple domains associated with one Google account. Multiple domains can be set up under one “Label".

Setting up Multiple Domains Under a single Label is useful for adding subdomains within Impexium, such as a unique domain dedicated to Fundraising that is separate from your main Impexium Domain. All statistics would also be under one Label.

Setting up Multiple Sites is useful if you have many different Sites that do not need to have their statistics shared. Configuring a new Site allows the statistics and re CAPTCHA Secret and Key to be unique for each site, which may be preferable for an AMC (Association Management Company)

About CAPTCHA v3

There are currently 3 different versions for Google reCAPTCHA. Google reCAPTCHA 3 is a passive CAPTCHA for users, as Google uses data collected from your site and user to determine if that interaction is a bot.

Other CAPTCHA’s may challenge the user, where the user is presented with a Checkbox stating “I’m not a reobot” or they are requested to select all the Fire Hydrants within a photo. Google reCAPTCHA 3 does not challenge users themselves, and soley relies on the data collected to determine if the interaction is deemed good.

Where Does CAPTCHA Work in Impexium?

Google reCAPTCHA can be configured to activate either on the Login Form within Impexium or the Create an Account Form within Impexium.

Both of managed within the Configuration Settings within Impexium, which you can toggle on or off by navigating to your Impexium Site as an administrator and selecting Configuration > Settings and search for Enable Captcha On Login Page or Enable Captcha on Sign Up Page.

Once configured in Impexium, a login or create an account attempt will trigger CAPTCHA, and the Google reCAPTCHA Icon should appear in the bottom right corner.

Reviewing CAPTCHA Statistics

Once sufficient data has been obtained, Google will also provide certain statistics on site traffic data. Using Google reCAPTCHA v3, four charts are available.

  1. Number of Requests: Shows the number of requests reCAPTCHA received for a specified action type.

  2. Score Distribution: Shows the distribution of scores for a specified action type. Scores range from 0.0 to 1.0, where 0.0 indicates abusive traffic and 1.0 indicates good traffic.

  3. Top 10 Actions: The top 10 actions (by overall traffic). To improve adaptive risk analysis and to view a more detailed breakdown of traffic, specify an action name in each place reCAPTCHA verification is executed.

  4. Top 10 Suspicious Traffic Actions: This chart shows the top 10 actions (in descending order of percentage of suspicious traffic) for your site. To improve the adaptive risk analysis for your site and to view a more detailed breakdown of your traffic, specify an action name in each place that you execute reCAPTCHA verification.

How is Bad Actor / Bot Activity Determined?

reCATCHA v3 uses a scoring system to determine whether an interaction is likely good (1.0) or likely a bot (0.0).

Note: The Impexium Configuration setting reCaptcha Google Score allows adjustment of the acceptable score.
reCAPTCHA returns a score for each request without user interaction. The score is based on interactions with Impexium and enables the system to determine whether the user is a human or a bot. A score of 1.0 indicates that the interaction poses low risk and is likely legitimate, whereas 0.0 indicates that the interaction poses high risk and may be fraudulent. Many sites configure the acceptable score to be between 0.3 and 0.5. At this time, the default value in Impexium is set to 0.3, but this can be changed using the reCaptcha Google Score field.

A score is generated based on parameters such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, and any information sent in the HTTP Request.

Google reCAPTCHA analyzes traffic on your site to determine what is abnormal. This is important to keep in mind, as what is deemed abnormal when your site is first being analyzed may be deemed normal after Google has a better collection of data.

Using reCAPTCHA in Restricted Countries

Google can sometimes be restricted by some CDN’s (Content Delivery Networks) in Countries with greater restrictions, like China.

In the scenario where https://www.google.com may be blocked, it is recommended to use the URL "www.recaptcha.net" in the Impexium Configuration Setting, “Re Captcha Url.” This setting is accessible via your Impexium site > Configurations App > Settings > Re Captcha URL setting.

Additional reCAPTCHA Resources

  • Google reCAPTCHA Analytics Document - https://developers.google.com/recaptcha/docs/analytics

  • Google reCAPTCHA v3 Document - https://developers.google.com/recaptcha/docs/v3

  • Google reCAPTCHA to use Globally Document - https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally