reCAPTCHA Started Asking for Phone Verification
In early May 2026, reCAPTCHA introduced a strange flow where some users have to scan a QR code with their phone to verify. Because of that policy, Android verification also started requiring a current version of Google Play Services.
For a site owner, this may look like a change that only hurts conversion. It is worse than that.
On a Galaxy phone or another ordinary Android device, the user may be annoyed but can still pass. On GrapheneOS, LineageOS, /e/OS, and other de-Googled devices without Google services, the user may not pass at all and can be treated as a bot.
What changed
reCAPTCHA used to work like this: pass silently if the user looked safe, and show annoying challenges like traffic-light puzzles if the user looked suspicious or was not logged into Google.
In early May, Google added a confusing flow where suspicious users see a QR code on their computer and must complete verification on a phone.
Google did not announce this loudly. Developers noticed when custom ROM users suddenly started getting rejected. Around May 7-8, Android Authority, PiunikaWeb, OSNews, and Reclaim The Net covered it, and a thread on r/degoogle received close to 1,000 upvotes.
Who gets blocked
As mentioned above, the new flow expects either an iPhone on iOS 16 or newer with the reCAPTCHA app installed, or a Google-certified Android phone with a current version of Google Play Services. If Play Services is missing, disabled, too old, or below 25.41.30, Google can treat that user as a bot.
GrapheneOS users are the obvious group. Many people install it specifically to avoid Google services. That choice can now prevent them from clearing reCAPTCHA.
LineageOS, CalyxOS, /e/OS, and other custom ROM users can hit the same problem.
You might think custom ROM users are too small to matter, but phones without Google Play Services are not limited to hobbyist ROMs.
- Huawei phones released after 2019
- Devices where Play Services was removed with tools like Universal Android Debloater
- Hardware without full Google certification
- Privacy-focused users who intentionally disabled Play Services
For a general shopping site, this may be a small percentage. For VPNs, crypto tools, secure messengers, privacy blogs, and developer tools, it can be much more visible.
The lock-in problem
Google describes this as a necessary fraud-prevention change. It probably does stop some malicious users. It also stops some normal users.
It turns reCAPTCHA into an ecosystem gate. A site using reCAPTCHA now expects visitors to have Google-certified Android infrastructure.
That is a heavy compatibility requirement for a web form.
reCAPTCHA vs PrivateStater Captcha
| Feature | reCAPTCHA | PrivateStater Captcha |
|---|---|---|
| Requires Google Play Services | Yes, 25.41.30+ | No |
| GrapheneOS / de-Googled Android | Can fail | Works |
| iOS and desktop | Yes | Yes |
| Privacy model | "Made by Google" | No cookies, no tracking, no Google |
| Challenge types | Traffic-light selection, mouse tracking, Google login state | Puzzle, proof of work, honeypot |
| Free tier | 10,000/mo | 20,000/mo |
I run a site. What should I do?
Stop using reCAPTCHA. There are plenty of alternatives. I compared them in this guide.
This is not the only reason to stop using it. If you read the article above, you will see why I say that.
How PrivateStater avoids the dependency
PrivateStater Captcha verifies the challenge on my servers. It does not do the ridiculous thing where a user has to authenticate on another device.
- Sliding puzzle: the user completes a simple drag challenge.
- Proof of work: the browser solves a dynamic Argon2id challenge.
- Honeypot: simple bots fail if they fill a hidden field.
It is simple, and it works in any browser with JavaScript: GrapheneOS, iOS, Linux, a six-year-old Android phone, Chrome, Safari, or even a plain WebView. It is free up to 20,000 successful requests per month, and only successful requests count. Failed requests are free.
For a broader comparison, see the reCAPTCHA alternatives guide.