Cloudflare, which you may know as a DNS service provider or the company that tells you why the website you clicked isn’t loading, wants to replace the “madness” of CAPTCHAs on the Internet with a whole new system.
CAPTCHAs are tests that you often need to run when trying to log into a service. You will be asked to click pictures of things like buses, crosswalks, or bicycles to prove that you are human. (CAPTCHA, if you didn’t know, stands for “Fully Automated Public Turing Test to Tell Computers and People Separate”.) The problem is, they add a lot of friction to the use of the web and are sometimes difficult to solve – me I’m sure I’m not the only person who frustratedly failed a CAPTCHA because I didn’t see that corner of a zebra crossing in a picture.
On a blog, Cloudflare says that it aims to “Get rid of CAPTCHAs completely“By replacing it with a new way of proving that you are human by touching or looking at a device with a system known as” Cryptographic Certification of Personality. “Only a limited number are currently supported of USB security keys like YubiKeys, but you can now test the Cloudflare system for yourself on the company’s website.
I tried it and it worked great. All I had to do was click the prominent “I’m Human (Beta)” button on the site, then follow a few instructions to select my security key, then tap it and then access the site Make and model of the site allow keys. When I did that, the system waved me through (although it only led me back to the blog).
The whole process took a few seconds, and I have to admit that it was really nice not to be puzzled over grainy images of buses and bus-like objects. On top of the speed of it all, this new method could have a huge accessibility benefit as people with visual impairments may not be able to complete CAPTCHAs in their current form.
Here’s the company’s “elevator section” showing what’s going on behind the scenes to use the new method to determine that you are human:
The short version is that your device has an embedded secure module that contains a unique secret that has been sealed by your manufacturer. The security module can prove that it has such a secret without revealing it. Cloudflare will ask for evidence and verify that your manufacturer is legitimate.
You can read a much more detailed explanation over the company’s blog.
While this is all a fascinating idea, it may not be the end of CAPTCHAs as we know it. For one thing, you probably won’t see the prompt in many places as Cloudflare says this is currently just an experiment and “has limited availability in English-speaking regions.” In its current state, it only works with a limited set of hardware: YubiKeys, HyperFIDO buttons, and Thetis FIDO U2F buttons.
Cloudflare promises to “add more authenticators as soon as possible”. This could potentially expand to your phone: Cloudflare suggests the option of tapping a phone on the computer to pass a wireless signature using NFC. Google can handle it now both iPhones and Android phones as a physical security key; If Google and Apple apply the Cloudflare method, it could significantly lower the barrier to entry to use, as smartphones are far more common than security keys.
However, the Cloudflare system can actually be a system worse Solution, according to one reviewer. As Ackermann Yuriy (Managing Director of the consulting company Webauthn Works) mention, that“Certification does not prove anything other than the device model,” which means that it does not actually prove that someone using a device to authenticate is actually human.
Cloudflare essentially admits this on its own blog, saying that a drinking bird (this one Bird toy that repeatedly dips its beaks into the water) could press a touch sensor on a security button and pass the authentication test. When CAPTCHAs are about preventing bot farms from overflowing websites, we may need to examine whether bot farms equipped with jury-rigged keyed security devices (or worse) benefit from it.
Lordy, if you thought clicking squares that indicated a traffic light was a pain, Google and Cloudflare spat, and the latter now have their own captcha, absolutely designed to keep people from bothering with websites who deploy it pic.twitter.com/odLTbZSAyZ
– Kate Bevan (@katebevan) April 16, 2020
CAPTCHAs also assume that website owners want to allow relatively anonymous traffic. However, an anonymous identity may be irrelevant if a website uses the credentials you provided to reveal your real identity. And with the recent push against ad targeting, driven in large part by Apple huge new data protection feature in iOS 14.5 If users are asked if they should be tracked by every app on the web, it is possible that website providers are relying more on logins anyway.
Although it certainly sounds like a hassle to possibly have to deal with even more Logins (which is much easier with a great password manager!), this shift could intuitively have the potential advantage of propelling us into a passwordless future even earlier. As more services push for direct logons, it can result in more of them supporting security keys instead of a password. And more websites that support security keys could put pressure on others to support them too, like the trend towards two-factor authentication with phones.
While we’re not yet in that passwordless future, Cloudflare’s potential replacement for CAPTCHA could be a first step in that direction.