function onSuccess(token) {
// The token is included in the POST data in the g-recaptcha-response
// parameter. The backend must create an Assessment with the token
// and verify the token is valid.
console.log(token);
}
<html>
<head>
<title>Account Login - Checkbox</title>
<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>
<script>
function onSuccess(token) {
// The token is included in the POST data in the g-recaptcha-response
// parameter. The backend must create an Assessment with the token
// and verify the token is valid.
console.log(token);
}
</script>
</head>
<body>
<form id="loginForm" action="?" method="POST">
Username: <input type="text" name="username"/><br/>
Password: <input type="password" name="password"/><br/>
<div class="g-recaptcha" data-sitekey="6LeAkOgUAAAAACcy3uY6N9H9SJMS27n3Zx2OOnYK"
data-action="account_login" data-callback="onSuccess"></div>
</form>
</body>
</html>
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-17。"],[],[],null,["# Detect and prevent account takeovers\n\nThis page describes how to detect and prevent account takeovers (ATOs)\nusing reCAPTCHA.\n\nATO attacks typically occur when an attacker sends requests\nto log in to API endpoints using credentials obtained from a data breach, also\nknown as a\n[password dump](https://security.googleblog.com/2014/09/cleaning-up-after-password-dumps.html).\nThis type of attack can be successful, even if the password dump is from an\nunrelated site, because humans tend to reuse passwords across multiple accounts.\nThis type of attack does not affect users who practice proper password\nhygiene, such as using a password manager.\n\nBefore you begin\n----------------\n\n\n[Prepare your environment for reCAPTCHA](/recaptcha/docs/prepare-environment).\n\nDetect and prevent ATOs\n-----------------------\n\nWith reCAPTCHA, you can detect and prevent ATOs by using one of the\nfollowing options:\n\n- [reCAPTCHA account defender](/recaptcha/docs/account-defender)\n\n- [\"I'm not a robot\" checkbox](#checkbox)\n\n- [Scores and custom challenges](#score-custom)\n\n### Use the I'm not a robot checkbox\n\nAdding the **I'm not a robot** checkbox to your site is the fastest\nand easiest way to provide some protection against ATOs without having to\nintegrate additional features, such as SMS or email verification.\nThere is a cost for an attacker to break this protection and this option might\nbe sufficient for some sites.\n| **Note:** Checkbox challenges are not supported on mobile applications.\n\n[Add the \"I'm not a robot\" checkbox](/recaptcha/docs/instrument-web-pages-with-checkbox)\non your web pages.\n\nThe following code is a live example of a login page protected by the checkbox: \n\n```\nfunction onSuccess(token) {\n // The token is included in the POST data in the g-recaptcha-response\n // parameter. The backend must create an Assessment with the token\n // and verify the token is valid.\n console.log(token);\n}\n``` \n\n```\n\u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cdiv class=\"g-recaptcha\" data-sitekey=\"reCATCHA_sitekey\"\n data-action=\"account_login\" data-callback=\"onSuccess\"\u003e\u003c/div\u003e\n\u003c/form\u003e\n``` \n\n```\n\u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n```\n\nYou can experiment with this code in JSFiddle by clicking the `\u003c\u003e` icon in the\ntop-right corner of the code window. \n\n```html\n\u003chtml\u003e\n \u003chead\u003e\n \u003ctitle\u003eAccount Login - Checkbox\u003c/title\u003e\n \u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n \u003cscript\u003e\n function onSuccess(token) {\n // The token is included in the POST data in the g-recaptcha-response\n // parameter. The backend must create an Assessment with the token\n // and verify the token is valid.\n console.log(token);\n }\n \u003c/script\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cdiv class=\"g-recaptcha\" data-sitekey=\"6LeAkOgUAAAAACcy3uY6N9H9SJMS27n3Zx2OOnYK\"\n data-action=\"account_login\" data-callback=\"onSuccess\"\u003e\u003c/div\u003e\n \u003c/form\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\n\u003cbr /\u003e\n\n### Use scores and custom challenges\n\nTo protect against ATOs, use the reCAPTCHA score-based\nkeys and use Multi-factor authentication (MFA) challenges, such as email\nand SMS challenges in which one-time codes (OTPs) are sent to the user.\n\nTo use score-based keys and custom challenges, consider the following options:\n\n- Install score-based keys to detect automation in large-scale ATOs.\n\n To install score-based keys on web pages, see\n [Install score-based keys on web pages](/recaptcha/docs/instrument-web-pages).\n\n To install score-based keys on mobile applications, see [Integrate reCAPTCHA with Android apps](/recaptcha/docs/instrument-android-apps).\n or [Integrate reCAPTCHA with iOS apps](/recaptcha/docs/instrument-ios-apps).\n- Use MFA to verify account ownership on login or for sensitive actions.\n\n For more information, see [Configure Multi-Factor authentication](/recaptcha/docs/integrate-account-verification).\n\nDepending on your use case, you can use MFA on its own or with\nscore-based keys. For example, you might prefer to use MFA challenges only for\nscores below a certain threshold to reduce friction.\n\nThe following example shows how to integrate score-based keys in the login\nscenario. \n\n```\nfunction submitForm() {\n grecaptcha.enterprise.ready(function() {\n grecaptcha.enterprise.execute(\n 'reCAPTCHA_site_key', {action: 'account_login'}).then(function(token) {\n document.getElementById(\"token\").value = token;\n document.getElementByID(\"loginForm\").submit();\n });\n });\n}\n``` \n\n```\n\u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cinput type=\"hidden\" id=\"token\" name=\"recaptcha_token\"/\u003e\n \u003cbutton onclick=\"submitForm()\"\u003eLogin\u003c/button\u003e\n\u003c/form\u003e\n``` \n\n```\n\u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n```\n\nYou can experiment with this code in JSFiddle by clicking the `\u003c\u003e` icon in the\ntop-right corner of the code window. \n\n```html\n\u003chtml\u003e\n \u003chead\u003e\n \u003ctitle\u003eAccount Login - Score\u003c/title\u003e\n \u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n \u003cscript\u003e\n function submitForm() {\n grecaptcha.enterprise.ready(function() {\n grecaptcha.enterprise.execute(\n 'reCAPTCHA_site_key', {action: 'account_login'}).then(function(token) {\n document.getElementById(\"token\").value = token;\n document.getElementByID(\"loginForm\").submit();\n });\n });\n }\n \u003c/script\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cinput type=\"hidden\" id=\"token\" name=\"recaptcha_token\"/\u003e\n \u003cbutton onclick=\"submitForm()\"\u003eLogin\u003c/button\u003e\n \u003c/form\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\n\u003cbr /\u003e\n\nWhat's next\n-----------\n\n- To learn about other account protection features, see [User accounts protection features](/recaptcha/docs/protect-accounts-overview)."]]
