AppCheck: low ReCaptchaV3 score on some (valid) devices. How to fix?

[MarcVanDaele90]

Operating System

Chromebooks

Browser Version

see below

Firebase SDK Version

Firebase SDK Product:

AppCheck

Describe your project's tooling

Flutter/dart, firebase_core: ^2.4.1 (not sure how this maps to JS SDK versions)

Describe the problem

Some users run into an AppCheck error, apparently because they get a low Captcha score. They have an up to date browser, their IP is not blacklisted so I have no clue how I can help them.

Steps and code to reproduce issue

I have successfully integrated appCheck on Firestore and, according to https://www.google.com/recaptcha/admin, there are about 5% suspicious requests.

My app is used in schools (by pupils) and some schools report, at startup, an error stating "Requests throttled due to 403 error. Attempts allowed again after 01d:00m:00s". This happens on almost all of their devices.

To analyze this, I make a call to recaptchaV3 myself when this happens and, as expected, I get a low score
{"success":true,"challenge_ts":"2023-11-13T14:05:40Z","hostname":"<myhost>","score":0.1,"action":"submit"}

The problems seem to be school specific so I would like to understand what they can do to get a higher captcha score.

Is it possible that they get a low captcha score because eg 30 pupils start our app at almost the same time?

One other option that I checked was an outdated browser version but that doesn't seem to be the case according to this

{browserName: BrowserName.chrome, appCodeName: Mozilla, appName: Netscape, appVersion: 5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36, deviceMemory: 4, language: nl-NL, languages: [nl-NL, nl, en-US, en], platform: Linux x86_64, product: Gecko, productSub: 20030107, userAgent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36, vendor: Google Inc., vendorSub: , hardwareConcurrency: 2, maxTouchPoints: 0}

Is it possible to contact the recaptcha team and to analyse this in more detail?

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[DellaBitta]

Hi @MarcVanDaele90,

Thanks for reaching out and I'm sorry that you're having issues with reCaptcha. As you hinted at, reCaptcha is a separate service that we don't have much visibility into ourselves. The reCaptcha help page suggests that you ask in the reCaptcha google group. Their support forum header also offers an email address that you may reach out to. Maybe someone has some more insights there.

I'm sorry we can't be more helpful here.

[MarcVanDaele90]

Thank you for your quick reply!
I fully understand that the reCaptcha team wants to keep a black box. Thanks for the pointers!
Feel free to close this issue here.