Security & Riskgooglerecaptchasecurityai security

Google Tests reCAPTCHA That Requires Showing Hand

||By LDS Team
6.0
Relevance Score
Google Tests reCAPTCHA That Requires Showing Hand
Photo: androidauthority.com · rights & takedowns

Google is testing a new reCAPTCHA challenge that asks users to show their hand to a webcam so it can extract 21 hand-knuckle coordinates and verify they are human, according to Google's own Cloud documentation and Android Authority reporting published July 2, 2026. Google says the video is never linked to a user's identity and is deleted after each check, with a fallback to the classic visual/audio puzzle for users who can't complete the gesture. But according to Tom's Hardware, testers already defeated the system by feeding it a stock photo of a waving hand through a virtual webcam, meaning the "liveness" check did not reliably distinguish a live video feed from a static image. For practitioners, it's a fresh, concrete example of how easily naive gesture-based liveness detection can be spoofed.

The headline here isn't that Google added a hand-wave to reCAPTCHA, it's that the liveness check meant to make that hand-wave meaningful reportedly failed against one of the oldest spoofing tricks around: a still photo. That's a useful data point for anyone building or evaluating biometric or gesture-based bot detection.

What happened

Google is testing a new reCAPTCHA challenge type, hand gesture verification, as part of its Cloud Fraud Defense product. Per Google's own documentation, when the check triggers, reCAPTCHA requests webcam access and prompts the user to perform gestures such as a wave; a machine learning model then extracts hand landmark data, mapping 21 hand-knuckle coordinates (the same landmark scheme used by Google's MediaPipe hand-tracking model), to help decide whether the user is a real person. Android Authority first reported the test on July 2, 2026. Users who cannot or do not complete the gesture challenge fall back to the standard visual and audio puzzles, and Google says the feature is meant to work alongside, not replace, those existing options.

Technical context

Google's documentation states that captured videos are never associated with a user's identity, that audio is never recorded, and that videos or images are automatically deleted once the challenge completes; it also notes that whatever data is collected is otherwise "used and stored in accordance with the Google Privacy Policy," language Android Authority flagged as leaving some ambiguity about retention. Separately, Tom's Hardware reported that testers were able to defeat the check by playing a stock photo of a waving hand through an OBS Virtual Camera, tricking the system into treating a static image as a live gesture.

For practitioners

This is a textbook liveness-detection failure mode: gesture or landmark extraction alone doesn't prove a live camera feed, and systems that skip depth, motion-continuity, or challenge-response checks are vulnerable to simple replay attacks. Teams building or buying bot-detection, KYC, or biometric-verification tooling should treat "we track hand landmarks" as necessary but not sufficient, and should specifically test replay and static-image spoofing before trusting a gesture check as a security boundary.

What to watch

Whether Google tightens the anti-spoofing logic, for example by requiring depth signals or randomized multi-step gestures, before any wider rollout, and whether the feature moves from a live test into reCAPTCHA's default challenge set. As of this writing, Google has not said how broadly or in which regions the test is running.

Key Points

  • 1Google is testing a reCAPTCHA challenge that uses a webcam to map 21 hand-knuckle coordinates and verify a user is human.
  • 2Testers reportedly defeated the check by showing it a stock photo of a waving hand through a virtual webcam.
  • 3The bypass shows gesture or landmark tracking alone doesn't prove liveness, a key lesson for anyone building biometric verification.

Scoring Rationale

Verified via Google's own documentation plus independent reporting confirming a real liveness-detection bypass (a stock photo defeated the hand-gesture check). Notable practitioner-relevant security lesson on a widely used anti-bot product, though the feature is still an experimental test, not a general rollout.

Sources

Public references used for this report.

3 sources

Practice with real Ad Tech data

90 SQL & Python problems · 15 industry datasets

250 free problems · No credit card

See all Ad Tech problems