I really think that the importance of all that extra stuff is massively overstated. I do a large amount of browsing while in incognito mode without being signed in to a Google account and I have NEVER been able to pass one of the new reCAPTCHAS with just a click. I have to complete a challenge every time.
Conversely, while signed into my gmail account I get passed through immediately, regardless of whether I click the box or tab into it and hit space.
To be fair, the "I'm not a robot"-one-click-thing wasn't done to make automation harder or impossible, but rather to make things more convenient for users. It will fall back to a regular visual captcha if you're doing anything suspicious like requesting captchas at the rate necessary to do comment spam or vulnerability scanning efficiently, so that's probably not going to reduce anyone's captcha typer farm bill too much.
They aren't taking any one thing at face value, but are combining them to get a better picture.
You might use a trackpad, so you'd "fail" that test, but your useragent is normal, you've been seen before with those cookies, and your IP is good so you are fine.
But if your IP is a known "bad actor", your useragent is something never before seen, your mouse movements are abnormal, and your keyboard inputs are instant, well all of that combined means you are getting blocked.
>What if I install a new computer on an IP address freshly provided to me by my ISP? Or what if I just open a new incognito window? Will I get blocked?
If there are enough "red flags" you'll probably get a captcha, if there are an overwhelming number of "red flags" you might just get blocked.
Again, just opening an incognito window or a new computer/ip isn't going to do it alone.
>It seems to me these are really easy to fake programmatically.
I'm sure they are, but they make the bar for "automated traffic" a little higher, and weed out some of the lower hanging fruit.
