Cloudflare says it’s time to end CAPTCHA ‘madness’, launches new security key-based replacement – The Verge

Cloudflare, which you may know as a provider of DNS services or the company telling you why the website you clicked on won’t load, wants to replace the “madness” of CAPTCHAs across the web with an entirely new system.

CAPTCHAs are those tests you have to take, often when trying to log into a service, that ask you to click images of things like busses or crosswalks or bicycles to prove that you’re a human. (CAPTCHA, if you didn’t know, stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.”) The problem is, they add a lot of friction to using the web and can sometimes be difficult to solve — I’m sure I’m not the only person who has frustratingly failed a CAPTCHA because I didn’t see that corner of a crosswalk in one image.

In a blog, Cloudflare says it aims to “get rid of CAPTCHAs completely” by replacing them with a new way to prove you are a human by touching or looking at a device using a system it calls “Cryptographic Attestation of Personhood.” Right now, it only supports a limited number of USB security keys like YubiKeys, but you can test Cloudflare’s system for yourself right now on the company’s website.

I tried it out, and it worked great. All I had to do was click the prominent “I am human (beta)” button on the site, then follow a few prompts to select my security key, then tap it, and then allow the site to access the make and model of the key. When I did, the system waved me through (though it just took me back to the blog).

The whole process took all of a few seconds, and I have to admit that it was really nice not to puzzle over grainy images of busses and bus-looking objects. And in addition to the speed of it all, this new method could have a major accessibility benefit, as those with visual disabilities may not be able to complete CAPTCHAs in their current form.

Here is the company’s “elevator pitch” of what’s going on behind the scenes to establish that you’re a human via its new method:

The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer. The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate.

You can read a much more extensive explanation on the company’s blog.

While it’s all an intriguing idea, it may not be the end to CAPTCHAs as we know it just yet. For one thing, you probably won’t see the prompt in many places, as Cloudflare says this is only an experiment right now, available “on a limited basis in English-speaking regions.” And in its current state, it only works with a limited set of hardware: YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys.

Cloudflare promises it will “look into adding other authenticators as soon as possible.” That could possibly expand to your phone: Cloudflare suggests the possibility of tapping a phone to their computer to pass a wireless signature using NFC. Google can now treat both iPhones and Android phones as physical security keys; If Google and Apple got on board with Cloudflare’s method, it could significantly reduce the barrier to entry to using it, since smartphones are much more common than security keys.

However, Cloudflare’s system may actually be a worse solution, according to one critic. As Ackermann Yuriy (CEO of the consulting firm Webauthn Works) points out, “attestation does not prove anything but the device model,” meaning that it doesn’t actually prove if someone using a device for authentication is, in fact, a human.

Cloudflare essentially admits this itself in its own blog, saying that a drinking bird (those bird toys that dip their beaks into water repeatedly) could press a touch sensor on a security key, thereby passing the authentication test. If the point of CAPTCHAs is to prevent bot farms from overrunning websites, we may need to consider whether bot farms equipped with with jury-rigged security key devices (or worse) will take advantage.

Cloudflare isn’t always positively associated with CAPTCHAs; in a recent example, the company moved from Google’s reCAPTCHA to a service from hCaptcha in April 2020, and some people weren’t fans:

CAPTCHAs also assume that website owners want to allow relatively anonymous traffic, but anonymous identity may be irrelevant if an website has your actual identity through login information you’ve provided. And with the recent push against ad targeting, driven in large part by Apple’s huge new privacy feature in iOS 14.5 that asks users if they want to let each app track them around the web, it’s possible that website providers will move more toward logins anyway.

Though it certainly sounds like a hassle to have to potentially deal with even more logins (which is much easier to do with a great password manager!), that shift could, counterintuitively, have the potential benefit of pushing us toward a passwordless future even sooner. If more services are pushing for direct logins, that could lead to more of them supporting security keys instead of a password. And more sites supporting security keys could put pressure on others to support them as well, like the trend we see toward two-factor authentication with phones.

While we’re not at that passwordless future just yet, Cloudflare’s potential replacement for the CAPTCHA could be a first step in that direction.