> No mention of device integrity verification yet

If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.

E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245

(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)

In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.

This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.

[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974

And you must be signed in.

I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.

I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.

This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.

Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.

I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.

I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.

"As part of our mission to enable a safe agentic web" drew an immediate swear from me.

What's happened here is yet another massive negative externality from AI. Because AI is such a fraud enabler, Google are now using that as an opportunity to end the open internet and competition in operating systems.

I'd much rather go the other way and make the AI wear identification. Crack down on both corporate and unlicensed AIs.

Edit: and of course it's also advertising killing the web, because the fraud in question is ad fraud. Need to force it into human eyeballs, not bots.

I believe you'll also need bluetooth enabled on both devices. At least you do for those "scan this QR code displayed on your computer to authenticate using the passkey on your phone" feature, which this seems analogous to. Bluetooth is used to ensure that the two devices are actually physically co-located.

... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.

I know, people will slavishly knuckle under, but let me dream for a few minutes.

> but the writing is on the wall.

Only if politicians are still corrupt and law enforcement doesn't work.

Which means the writing is on the wall.

No surprises here, though of course disappointment when it comes to fruition.

Do you have an alternate solution? When we hear so many stories from HN'ers of their websites being hammered by out-of-control crawling and fetching and new levels of AI slop spam?

This is something site owners choose to implement or not. They're the ones paying the extra hosting fees to handle potentially unwanted traffic, and dealing with spam that traditional CAPTCHA's are no longer effective against. Google's not forcing this on anyone else.

[dead]

I've been saying for years that it does not make sense to browse the web on a smartphone. Eventually things will get bad enough that people will agree with me.