In late April 2026, Google revamped its reCAPTCHA. When you come up against it you're no longer shown the "click all the buses" type puzzle. It now shows a QR code that you scan with your phone. One cryptographic handshake later you're in.
The old type is still around for the time being but slowly being phased out. Google's pitch is this will make authentication easier and accessing secure websites won't hinge on you knowing the difference between a bike and a motorcycle.
The issue here is the cryptographic handshake. It checks if it's a certified Android device by checking if Google Play Services is installed. No Play Services, no entry. This cuts operating systems like GrapheneOS, CalyxOS, and LineageOS off at the knees.
iPhones pass without installing any Google software. Only Android users who refused Play Services get shut out, making it clear this is less about security and more about enforcement.Phone manufacturers pay Google for the right to bundle Play Services and the Play Store on their devices, and that licensing is what keeps the Android ecosystem on Google's leash even though Android itself is open source. DeGoogled OSes break that leash by stripping Google Mobile Services out entirely. The new reCAPTCHA makes that leash enforceable at the website level
If this sounds at all familiar it's because Google tried the same thing back in 2023 calling it Web Environment Integrity (WEI). This was introduced as a web standard. Meaning it only worked out if other browser manufacturers implemented it too. This was met with skepticism and public backlash causing other browser manufacturers to back away. Once Google saw it wasn't getting any traction they dropped the Web Environment Integrity proposal.
This was a good indicator of the temperature in the room. Nobody wanted this and browser manufacturers weren't keen on implementing it. So Google did the on brand thing and came at it from a different angle sidestepping public concern.
The difference is this is a server-side product, not a browser feature that needs to be baked in. To browsers it's just like any scanned QR code. Google sells the backend feature to its customers that allow for authentication.
Pair this with their recent moves to choke out sideloading applications, it's beginning to look like Google is building its own walled garden. An open ecosystem was one of the things that steered people away from Apple and towards Android. But they seem to have burned that bridge and any goodwill along with it.
One of the main reasons things like this continue to happen is the phone landscape doesn't have an open source alternative like the one that the computer has. OS makers have to seriously take into account what's going on with the Linux platform. A platform that has only gotten stronger because vendor lock-in has driven a lot of users into Linux's welcoming arms.
There are a few open source phone OSes that are fighting the good fight. We just haven't hit ease of choice yet. Distros like Ubuntu and Pop!_OS were tipping points for Linux. Ease of choice does not equal impossibility. If you're interested in saying goodbye to this type of vendor locked-in walled garden on your phone, check out this rundown. A lot of people, myself included, live an essentially Google-free life. Check out the site called switching.software for Google alternatives along with a lot of other platforms.
If we don't take back our own slice of the Internet, big tech is going to divvy it up and keep all the pieces for themselves. Plan accordingly.