That is peak security:
- Require timebased OTP for login
- Also require recaptcha for login
- Select the frickin bus, palm tree and cross walk 93 times
- Finally manage to please the algorithm
- The 30 second validity window of TOTP expired

*GAAH!*

I selected at least 20 cars and pedestrian walks before making me too frustrated to continue

30 second OTPs are completely stupid, Use invisible captcha and only use Visible Captcha when suspicious.

@theabbie I always trigger those because I have 3rd party cookies disabled

There are some bots and APIs which can clear recaptcha

@Eklavya You can simulate human behaviour to avoid RECAPTCHA, it's not foolproof, but once it's triggered, bots can't solve it, those APIs might be using click farms which employ real people.

@theabbie That depends, if the reCAPTCHA system is only triggered when an anomaly in the user's behaviour then yes, you could get bots to fly under that radar.
But if it's always enabled, then there's a very slim chance of bots getting through it.

@Berkmann18 There is a setting to set sensitivity of RECAPTCHA, if it's set to high, it will trigger it 90% of times, but, if bot is highly precise and is used on an IP with good history, then, it can avoid it, clicking "I am not a robot" is not a big deal.

Mission failed, you're clearly a robot

Ironically, a machine would have a better chance solving it in time than a human

Re-captcha list - buses, cars, traffic lights, pedestrian walk-way. I think I always get just these.

Don’t forget to enter both time-restricted codes sent to you via SMS and email. You have 30 seconds before they expire!

Seriously, BinanceUS does this shit. Two short-expiry codes sent like above plus an OTP via e.g. Authy. If I have everything already open and waiting, it is still freaking difficult to do it all fast enough 😠. The last time I logged in, it took me three tries because the email took a little too long to arrive.

@theabbie Bots can solve recaptchas.

@Root If bots can click boxes with crosswalks and Fire Hydrants, we are already doomed,

Regardless, these bots will be sophisticated, and if someone is providing this as a service, it won't be free, so, RECAPTCHA can keep your website safe from Script kiddies, atleast.

the worst thing is when you fill in a page long form, then you fail the stupid recaptcha and the form resets. There’s a special place in hell for people who designed those sites.

Using Firefox + ublock origin or pi-hole = hard mode
-> click 132 busses and wait 5 seconds to load a new picture, eventually succeed (maybe)

Using Tor = impossible
-> click 132 pedestrian walks and wait 5 seconds to load a new picture, eventually be told verification failed (please try again if you haven't gone insane)

@theabbie Regarding the 30 second OTP. I mean those generated by Google Authenticator / Authy / Keepass. Not those sent via Mail / SMS / homing pidgeon. That would be madness indeed, but 30 seconds for app-generated TOTP is recommended by RFC 6238, isn't it?

@DBX12 Oh, still, there is no need for visible CAPTCHA there, if user has already logged in via CAPTCHA, that's over-engineered

@theabbie I'm totally agreeing here. I think if I have a valid TOTP, then captcha is not needed because having the valid TOTP is the best proof I'm not a click bot but the real user. Apparently that is not an option for recaptcha or services using it