FACEPALM: Thanks to machine learning and bot-based automation, CAPTCHAs now provide very little protection against complex spam operations. But they are still playing a major role in the opsec of many websites, and Google is still trying to improve the technology with some questionable privacy choices.

Google is working on a new kind of challenge to improve its reCAPTCHA system, using biometric identification to confirm that the user is indeed human. The new method is officially named "hand gesture verification" (HGV), and, according to early testing, is mostly useless. Even worse, HGV might pose a significant risk to a user's privacy, especially if you don't trust Big Tech with managing your biometric data.

Google explains that HGV requires access to the device's webcam so that it can record "one or more" video clips of a user's hand. The user needs to wave to the camera, or perform other gestures, to let Google process the video and properly extract the most relevant biometric data points. The hand-wave gesture should allow the reCAPTCHA system to confirm that the user is not a bot.

Biometric identification should enhance reCAPTCHA safety, but HGV doesn't seem to work as intended. Some users have already tested the feature, confirming that the enhanced protection can be bypassed with just a few stock images and the "virtual camera" functionality provided by OBS Studio. A potential attacker would just need to "mimic" the hand gesture with a stock photo, while OBS' virtual camera can eliminate the need for a physical webcam on the system.