Only approved phones can pass Google’s new reCAPTCHA, locking out privacy-focused alternatives
Verify you’re human – by owning an approved Android or an iPhone. Google’s new reCAPTCHA system forces users to scan a QR code with a “compatible mobile device” and locks out anyone using a privacy-focused OS and device, warns GrapheneOS, a security-hardened OS alternative.
GrapheneOS warns that people without an iOS or Android device might soon be banned from accessing online services, even when browsing on desktop computers or laptops.
A recent change left arbitrary devices and operating systems, such as deGoogled Android smartphones, unable to complete Google’s reCAPTCHA verification, which prompts users to scan a QR code with a mobile device.
“It’s enormously anti-competitive,” GrapheneOS said in a public statement shared on major social media platforms.
“Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web.”
reCAPTCHA is Google’s security tool used by millions of websites and major services to distinguish human users from bots. Most of the time, it runs completely invisibly in the background, but occasionally, when something looks suspicious, it prompts users to solve a challenge, like identifying fire hydrants or traffic lights.
However, in April, Google announced new QR code-based challenges as an AI-resistant bot mitigation. Only “a compatible mobile device” can complete this verification, and the list only includes Android devices with Google Play Services installed and iOS/iPadOS devices.
GrapheneOS says this is an expansion of hardware-based attestation, which increasingly locks out hardware and OS competition.
“The purpose of these systems is to disallow people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature,” the open-source mobile operating system posted.
“They permit devices with no patches for 10 years, but not a much more secure OS. It’s for enforcing their monopolies via Google Mobile Services licensing, that’s all.”
What’s changing?
The new reCAPTCHAs are part of Google’s “Cloud Fraud Defense” platform, announced on April 22nd and designed to verify the legitimacy of bots, humans, and AI agents.
Google says that a “rise in sophisticated automation requires a fundamental shift in risk management.”
Website owners use Google’s system to allow or block bots and AI agents with granular controls, based on conditions such as risk scores, automation types, and agent identity.
The new QR-code-based CAPTCHA system is supposed to bar the AI agents that can solve previous challenges with ease.
“This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable,” Google explained.
The tech giant migrated existing reCAPTCHA customers to Fraud Defense with no action needed or changes to pricing.
It appears that Google has been quietly rolling out the feature since at least October 2025, when a blog post announced a new QR code approach that provides “stronger, AI-resistant security” and effectively breaks the business model for large-scale attackers.
Involvement of a physical mobile device, even when browsing on the PC or Mac, provides “a high-assurance attestation that a unique human is present.”
“They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc., by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more,” GrapheneOS explained.
Website owners decide what CAPTCHA solutions to use and how strictly to enforce them. But privacy advocates warn that services increasingly requiring Apple App Attest or Google Play Integrity are cementing the duopoly in the mobile market.
“The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them,” GrapheneOS notes.
Massive pushback on social media
The evolution of reCAPTCHA has stirred the Hacker News technical community, where most users appear to broadly agree that the debate isn’t about security but rather a power grab.
“Remote attestation will be how our computing freedom dies,” one of the users posted.
On X, some posts on the issue are raking in millions of views and tens of thousands of reactions.
“Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed,” International Cyber Digest said in a post with 1.2 million views.
“Google now treats privacy as suspicious behavior by default.”
Mega, an online privacy firm, explained that Google first attempted to implement a similar measure, called Web Environment Integrity, in 2023, but later withdrew it following public outcry.
“So this time they launched it as a commercial product instead of a public proposal. The old CAPTCHA methods are still accessible as a fallback for now, but how long Google keeps that option around is anyone’s guess,” Mega posted.
“Anyone without a certified device can't verify.”
Similar threads appear on Reddit and elsewhere.
“Why is a QR code involved in a CAPTCHA? That's a definite no, just like age verification and anti-VPN, this is just another way to surveil,” one Reddit user warned.
Some users fear that the new QR code reCAPTCHAs will create new attack vectors for scammers – fake QR code checks, mimicking verification flow, will lead to direct device compromise.
“The dumbasses who designed this didn’t consider security at all. Scammers are going to have an absolute field day,” another Reddit user concluded.
Unlock more exclusive Cybernews content on YouTube.
