I believe that the point in reCAPTURE is to make it more difficult for bots to complete the log in process - to prevent lots of spam accounts being created or perhaps to slow down a brute force attack.
The problem is that authenticating doesn't necessarily have to happen through this web page - it wouodn't stop a bot that went via an API.
Although, you could perhaps add layers of security like locking an account after 5 failed attempts to authenticate or two factor authentication for some actions.
You are viewing a single comment's thread from: