This feature is available starting from DSpace 7.4

This feature, when enabled, offers a powerful additional layer of protection against possible unwanted behaviors like massive registrations performed by bots using random or stolen email addresses. Feature can be enabled or disabled by decision of DSpace instance administrator, and is based on Google reCAPTCHA

ReCAPTCHA supported versions are v2 with both invisible (https://developers.google.com/recaptcha/docs/invisible) and checkbox (https://developers.google.com/recaptcha/docs/display) verification modes, and v3 (https://developers.google.com/recaptcha/docs/v3)

Prerequisites

Before enabling the feature, a valid site and secret pair should be obtained from Google reCAPTCHA system, by registering the DSpace application on which verification will be set on reCAPTCHA admin panel (https://www.google.com/recaptcha/admin

How to enable the feature

Once site and secret are available, following property, set in configuration files (dspace.cfg or local.cfg) enables the CAPTCHA verification 

registration.verification.enabled = true 


Whereas, in case v2 of Google reCAPTCHA is to be enabled, these properties, in configuration files, must be set

google.recaptcha.version = v2 
google.recaptcha.mode = <invisible or checkbox depending on which mode is wanted>
google.recaptcha.key.site = <your site here> 
google.recaptcha.key.secret = <your secret here> 


In case v3 of Google reCAPTCHA is to be enabled, properties to be set are:

google.recaptcha.version = v3
google.recaptcha.key.site = <your site here> 
google.recaptcha.key.secret = <your secret here>  
google.recaptcha.site-verify = https://www.google.com/recaptcha/api/siteverify
google.recaptcha.key.threshold = <score threshold>
google.recaptcha.mode = invisible

google.recaptcha.key.threshold  property is related to reCAPTCHA verification logic. v3 assigns to each request made against verification APIs, in this case by DSpace  system during registration process. reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). By default a good threshold could be 0.5. For further information, see  https://developers.google.com/recaptcha/docs/v3#interpreting_the_score


Once feature is enabled, the user registration will actually be performed if and only if the CAPTCHA token, passed in registration payload, is verified during registration process itself and is considered valid. Each registration request, even if made using DSpace REST APIs must have a captcha token in its header.

A new type of cookie has been added to DSpace cookie set, "Registration and Password Recovery". This cookie is proposed only when CAPTCHA verification is enabled.


This cookie option must be enabled by users before registering, otherwise they won't be able to perform a registration