Long treated as the web’s cheapest proof of personhood, CAPTCHA may be moving away from puzzle sliders toward more advanced biometric-style checks. Google Cloud Fraud Defense’s new hand-gesture reCAPTCHA will now ask for camera permission, analyze a user’s hand video, and extract 21 hand-knuckle coordinates to filter out bots and AI agents.
While Google says it is developing additional alternatives, and the hand videos get instantly deleted, the method still raises questions about privacy, consent, and accessibility.
In this short commentary, we asked our experts what this says about the next stage of anti-bot checks, and what other methods can be used to deal with broader AI-agent abuse.
I don’t think the question here is whether hand gestures are the next big identity signal, as they most probably are not. The more interesting thing to me is how basic anti-bot protection may be getting much more sophisticated, and what that implies for the industry as a whole.
Get posts like this in your inbox with the bi-weekly Regula Blog Digest!
Why reCAPTCHA is becoming biometric-like
reCAPTCHA has always relied on an ability gap between people and machines. But over the past few years, that gap has been closing, as AI agents can now complete multi-step online tasks in a very human manner.
Moreover, we clearly detect that AI agents are being seen as real identity threats by more and more people. According to our latest study, 26% of organizations acknowledged AI-based agentic software as a danger to their identity flows. On its own, this figure may not look dramatic, but it is actually not too far behind the AI’s “final boss” — deepfakes, which were cited by 35% of respondents.
Ultimately, Google itself has stated that their Cloud Fraud Defense was built for the “agentic web”, where autonomous AI agents can reason, plan, and complete complex transactions online. In this context, the new reCAPTCHA could be a sign that anti-bot protection is being pulled into the same AI-agent arms race that identity teams are already worried about.
It’s a rather natural reaction from the industry, because AI agents can now fill in forms, retry, click, compare, and complete multi-step online work so well. The devil will be in the details, as it’s all about the execution.
Why a hand gesture is a clever, but imperfect solution
A hand gesture is an interesting choice and a reasonable compromise: it is less identity-rich than a face scan, but harder for simple automation to fake than a checkbox or image grid. Still, it is not ideal.
Utilizing a camera this way is not frictionless for users. Poor lighting alone can block legitimate users, and, of course, there must be alternatives for people with hand disabilities as soon as the feature gets released, not after.
As for privacy, Google’s retention promises do reduce the risk: the company says hand videos are deleted after verification, are not tied to identity, not used for training, and recorded without audio. At the same time, there is a broader lesson for the market: once anti-bot checks start using body-derived signals, every implementer needs a visible rulebook.
Ideally, that rulebook should include:
-
a plain-language purpose for camera use;
-
default deletion of videos, with short, documented exceptions only for security review;
-
no training or secondary use unless the user gives separate consent;
-
accessible alternatives offered before users get stuck in failure loops;
-
resistance testing for virtual cameras, replay, emulators, and injection;
-
logs that prove permission handling, deletion, and sample origin.
Why hand gestures are not enough for full identity verification
If a fraudster can trick the camera with a synthetic hand, replayed video, or generated media routed through a virtual device, the interface may look convincing while the evidence is weak. That is why this new method should not be treated as a serious ID verification option: liveness detection alone is not a full defense.
Face liveness, for example, has been fighting this problem for years through defenses against masks, screen replays, deepfakes, emulators, and signal injection. It has also become common because the face provides more evidence than a hand: skin texture, motion, expression, hairline, and consistency between frames.
Even strong liveness detection always leaves a second task: matching the live user to a trusted reference. If your aim is full ID verification rather than an anti-bot check, several defenses should work together, such as device footprint, session timing, camera-source checks, document evidence, and others.
This is where a line needs to be drawn: anti-bot checks, liveness checks, and full identity verification solve different problems. A palm or hand movement is a reasonable way to challenge automation, but it does not prove identity. By contrast, the face is more useful when the business process must recognize a specific person rather than only confirm a live participant.
Enabling privacy-conscious ID verification
In closing, I’d like to point out that proportionality is key here. A hand gesture-based check is an interesting situational solution for reCAPTCHA, but it has clear limitations and privacy concerns. If a system accidentally captures and then even stores your face during an anti-bot check, this is overkill.
Some people may argue that this is overkill even for full-scale ID verification — and that is exactly why biometrics should be used very selectively and in line with existing regulations.
When full IDV is required, the goal should not be to collect more data by default, but to collect the right evidence for the specific risk.
For example, solutions like Regula IDV Platform are built around this principle, bringing together the elements that matter most when identity has to be proven. As a full-cycle identity orchestration platform, it enables:
-
Fraud and presentation attack resistance: verification can be strengthened against presentation attacks, camera injection, replay attempts, emulators, synthetic media, and other bypass techniques.
-
Biometric verification: the live user can be compared with a trusted portrait from an identity document or another approved reference.
-
Liveness detection: the system helps confirm that the biometric sample comes from a real, live person, not a static image, replay, mask, or generated substitute.
-
Document verification: identity documents are checked for authenticity and consistency, so the decision is based on trusted evidence.
-
Configurable verification process: businesses can choose which checks to include, from document verification and biometrics to manual review.
-
Privacy-conscious deployment and access control: on-premises and private-cloud deployment options, along with role-based and attribute-based access control, help customers keep sensitive data protected.
-
Audit-ready evidence: system logging helps teams trace who accessed data, why information was requested, and how the verification decision was reached.
Curious about how Regula IDV Platform can improve your ID verification? Let's talk.
