CAPTCHA nightmare could come to an END
Cloudflare, which you might recognise as a DNS service provider or as the company that tells you why a website won’t load, aims to replace the “madness” of CAPTCHAs with an entirely new method.
CAPTCHAs are those tests that you have to take to show that you’re a human, mostly while attempting to log into a program. They ask you to click pictures of items like buses, crosswalks, and bicycles to prove that you’re human. As CAPTCHA we know is a Completely Automated Public Turing test to tell Computers and Humans Apart.
The problem is that they add a lot of friction to using the internet and can be challenging to solve at times — I’m sure I’m not the only one who has failed a CAPTCHA because they didn’t show the corner of a crosswalk in one picture.
Cloudflare Introduce new System
Cloudflare claims in a blog post that it wants to “fully eliminate CAPTCHAs” by replacing them with a new way to prove you’re an individual by touching or looking at a computer, which it calls “Cryptographic Attestation of Personhood.” Cloudflare’s device currently only supports a small number of USB security keys, such as YubiKeys, but you can try it out on the company’s website right now.
I put it to the test, and it worked well. All I had to do was press the site’s popular “I am human (beta)” icon, then follow a few prompts to choose my security key, tap it, and enable the site to access the key’s make and model. When I did, the machine let me through with a wave (though it just took me back to the blog).
It took only a few seconds to complete the task, and I must admit that it was extremely convenient not to have to sift through grainy pictures of buses and bus-like things. In addition to the pace, this new method may have a significant accessibility advantage, as CAPTCHAs in their current form may be inaccessible to those with visual disabilities.
The company’s “elevator pitch” on what’s going on behind the scenes to prove you’re a person using its new approach is as follows:
In a nutshell, your computer has an integrated safe module that contains a special secret that your manufacturer has sealed. The security module has the ability to prove it owns a secret without exposing it. Cloudflare requests evidence of the manufacturer’s legitimacy and verifies it.
A much more detailed description can be found on the company’s blog.
Limited Region Availability
Though it’s an interesting concept, it’s possible that CAPTCHAs as we know them will continue to exist. For one thing, you’re unlikely to see the prompt in several locations, as Cloudflare describes it as a “limited basis in English-speaking regions” trial at the moment. It also only operates with a small range of hardware at the moment: YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys.
“As soon as possible,” Cloudflare says, it will “look at incorporating other authenticators.” It’s possible that this could spread to your phone: Cloudflare recommends using NFC to pass a wireless signature by pressing a phone to their screen. Since smartphones are much more popular than security keys, Google would now consider both iPhones and Android phones as physical security keys. If Google and Apple agreed to use Cloudflare’s system, it would dramatically lower the barrier to entry to using it.
According to one critic, Cloudflare’s method could potentially be a worse solution. As Ackermann Yuriy (CEO of the consulting company Webauthn Works) points out, “attestation does not prove anything but the system model,” i.e., it does not prove that anyone using a device for authentication is a person.
In its own blog, Cloudflare basically admits this, claiming that a drinking bird (those bird toys that repeatedly dip their beaks into water) might press a touch sensor on a security key, passing the authentication test. If the aim of CAPTCHAs is to prevent bot farms from taking over websites, we may need to wonder whether bot farms with jury-rigged security key devices (or worse) would be able to exploit them.
Cloudflare Switching over Verification
Cloudflare isn’t always synonymous with CAPTCHAs; for example, in April 2020, the company switched from Google’s reCAPTCHA to a service from hCaptcha, and some users weren’t happy:
CAPTCHAs often believe that website owners want to accept reasonably anonymous traffic, but anonymous identity can be meaningless if a website has your real identity thanks to the login details you’ve provided. With the recent movement against ad targeting, fueled in part by Apple’s massive new privacy feature in iOS 14.5 that asks users if they want each app to monitor them across the web, it’s likely that website providers will shift their focus to logins.
First Step toward Right Direction
While it might seem inconvenient to have to deal with even more logins (which is much easier to do with a good password manager!), this change might, counterintuitively, have the unintended consequence of hastening our transition to a password-free future. As more services push for direct logins, security keys can become more popular as a replacement for passwords. And, as with the trend toward two-factor authentication with phones, more sites supporting security keys could put pressure on others to do so as well.
Though we aren’t quite there yet, Cloudflare’s proposed replacement for the CAPTCHA could be a first step in the right direction.