This post refers to Google ReCaptcha v2 (not the latest version)
Recently Google introduced a simplified "captcha" verification system (video) that enables users to pass the "captcha" just by clicking on it.
But how can it differentiate a bot from a person just by a click?
As per this answer, (assuming a similar implementation), at first "recaptcha" generates a hidden key and attaches it to a hidden input element and also lazily renders a check box (not an actual check box input but a div) with the same key which when clicked, sends an asynchronous request (XHR) to the Google backend servers to mark it as a valid verification key (i.e. a key that has to be validated when the form is submitted).
But why can't bots automate that click (at least, browser-based bots)?
How might this work?
