This guide will review how to set up reCAPTCHA v3 in Aspenware Identity. For general release notes, please see 2.18 Identity Release Notes. For a general overview of reCAPTCHA see Google ReCaptcha v3 documentation.
Overview
The new reCAPTCHA v3 API helps you detect abusive traffic without user interaction. Instead of showing a CAPTCHA challenge (as with older versions), reCAPTCHA v3 returns a score. Resorts can then choose the most appropriate action for their websites according to this score. Because scores are determined by monitoring user interaction on your site, Aspenware recommends implementing reCAPTCHA as soon as possible (and across all available interactions) to begin site monitoring. In addition to disabling such monitoring at any time, reCAPTCHA v3 thresholds can also be adjusted in the reCAPTCHA admin dashboard to be more or less tolerant of risky activities and related actions. See below for instructions on how to enable reCAPTCHA v3 on Aspenware Identity.
Configuration Guide
Prerequisite Steps
In order to use reCAPTCHA v3 you will need to register your site and get your reCAPTCHA public and private keys.
Go to https://www.google.com/recaptcha/admin/create and follow the steps to register your site
Detailed Setup Guide
Go to your Aspenware Identity configuration screen (https://identity-yourresort.com/api/system/info)
NOTE: You must be an assigned administrator in order to access your Identity configuration.
Insert your public (site) and private (secret) keys.
Enable each of the desired locations on which you would like reCAPTCHA v3 to monitor (e.g. “Create Account” or “Password Reset.”
NOTE: Aspenware recommends resorts enable reCAPTCHA v3 to all locations for the maximum benefit.
Set ReCaptcha v3 Score Threshold number to begin monitoring your site.
NOTE: reCAPTCHA learns by seeing real traffic on your site. For this reason, scores in a staging environment or soon after implementing may differ from production. As reCAPTCHA v3 doesn't ever interrupt the user flow, you can first run reCAPTCHA without taking action and then decide on thresholds by looking at your traffic in the admin console. The recommended default threshold setting is 0.5. A threshold of 1 will ensure that NO ACTION is ever taken.
In general, the best score a user can get is a 1 and the worst (almost certainly a bot) is a zero. If a user scores below the threshold, the selection made in your admin dashboard will determine the action taken. For more information on assessment scores thresholds visit Google’s reCAPTCHA documentation.
Common Troubleshooting
Q: Can my threshold vary depending on the user interaction?
A: Unfortunately, Aspenware currently only offers one threshold across all user interactions. Although a threshold of .5 should meet most needs, please let your Aspenware Service Representative know of any issues.
Q: May I use the same Application Key/Secret for my Aspenware Commerce site and my Identity site?
A: Yes, you may use the same key for both sites.
Q: If I use the same Application Key/Secret for my Aspenware Commerce and Identity sites can I set different thresholds at each site?
A: Yes, the threshold is set at the application level, so you may use different thresholds by setting them in the corresponding admin panel.