Use Fraud Defense features after migration

This page explains how to use Fraud Defense features, such as Multi-factor authentication (MFA) and Password defense, by migrating your existing reCAPTCHA integration from the legacy SiteVerify method to the CreateAssessment method. Migrating to the CreateAssessment method involves instrumenting the web pages and migrating the backend calls.

Explore Fraud Defense features

After you migrate to using the CreateAssessment method, you can use additional Fraud Defense features, such as the following:

• Account defense: Helps you protect user accounts from compromise and fraudulent activities, such as account takeover (ATO) attempts.
• Transaction defense: Helps you protect payment transactions from online fraud, such as carding attacks and use of stolen payment instruments.
• Password defense: Lets you check if a username and password combination that is provided by a user has appeared in a known data breach or password leak database.
• Multi-factor authentication (MFA): Helps you verify your users' identities by sending a verification code by email.

Instrument the web pages

To instrument the web pages with the correct reCAPTCHA scripts and calls, do the following:

1. Verify that you have the following script included in your web pages: https://www.google.com/recaptcha/api.js .

2. In your web pages, replace https://www.google.com/recaptcha/api.js with https://www.google.com/recaptcha/enterprise.js .

3. If you programmatically invoke the API, then replace the following calls:

   • grecaptcha.execute() -> grecaptcha.enterprise.execute()
   • grecaptcha.getResponse() -> grecaptcha.enterprise.getResponse()
   • grecaptcha.ready() -> grecaptcha.enterprise.ready()
   • grecaptcha.render() -> grecaptcha.enterprise.render()
   • grecaptcha.reset() -> grecaptcha.enterprise.reset()

Migrate the backend calls

To use Fraud Defense features, you must migrate your backend calls to the new endpoints and set up authentication:

1. Replace backend calls to https://www.google.com/recaptcha/api/siteverify with equivalent calls to recaptchaenterprise.googleapis.com . For the complete URL and the POST data format, see Create an assessment for your website .

2. Set up authentication to reCAPTCHA.

   The authentication method you choose depends on the environment where reCAPTCHA is set up. The following table helps you choose the appropriate authentication method and the supported interface to set up authentication:

   Environment

   Interface

   Authentication method

   Google Cloud

   • REST
   • Client libraries

   Use attached service accounts .

   On-premises or a different cloud provider

   REST

   Use API keys or Workload Identity Federation .

   If you want to use API keys, then we recommend securing the API keys by applying API key restrictions .

   Client libraries

   Use the following:

   • For Python or Java, use API keys or Workload Identity Federation .

     If you want to use API keys, then we recommend securing the API keys by applying API key restrictions .

   • For other languages, use Workload Identity Federation .

What's next

• Create an assessment for your website
• Monitor reCAPTCHA keys
• Detect password leaks and breached credentials
• Detect and prevent account-related fraudulent activities on websites
• Protect payment transactions with Transaction defense
• Configure multi-factor authentication