feature request: Support reCAPTCHA Checkbox challenge #7716
Description
What problem did you meet?
Currently, Logto only supports the invisible reCAPTCHA enterprise flow that generates a score. While this is useful, it does not provide an interactive challenge for suspicious or borderline traffic.
In some scenarios (e.g., preventing automated sign-ups, high-risk requests, stricter compliance requirements), we would like to force a Checkbox challenge to ensure that suspicious traffic is blocked rather than just scored.
Describe what you'd like Logto to have
I would like Logto to add support for Google reCAPTCHA Checkbox challenge (not only the invisible scoring flow). Ideally, this would allow administrators to:
- Configure whether to use invisible reCAPTCHA or the Checkbox challenge.
- Define thresholds/rules when the Checkbox challenge is required (e.g., after failed attempts, certain endpoints, or risk signals).
- Ensure the Checkbox challenge works seamlessly with existing Logto signin and OTP endpoints.
Initially, to keep it simple, there might just be the possibility to choose between checkbox challenge or invisible reCAPTCHA.
This feature would give us more flexibility in balancing security, usability, and compliance for different environments and use cases.