Cloudflare launches campaign to ‘end the madness’ of CAPTCHAs

Testing dongle-driven ‘Cryptographic Attestation of Personhood’ and WebAuthn as alternative


Poll Cloudflare has called on the world to “end this madness” by consigning Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAS) to the dustbin of history.

The internet-grooming firm’s beef with CAPTCHAS - specifically those that require users to identify images - is that they take 32 seconds to complete, are frustrating, work poorly on mobile devices, assume cultural knowledge of the objects on display, and that completion often requires certain physical and cognitive capabilities that not all users will possess.

Cloudflare research engineer Thibault Meunier assumed that the average internet user sees a CAPTCHA once ever ten days and multiplied that by world’s 4.6 billion internet users and Cloudflare’s 32-second CAPTCHA-completion estimate to assert that humanity collectively spends 500 years every day completing CAPTCHAs.

The company’s preferred alternative is a “Cryptographic Attestation of Personhood” that works as follows:

  1. The user accesses a website protected by Cryptographic Attestation of Personhood, such as cloudflarechallenge.com.
  2. Cloudflare serves a challenge.
  3. The user clicks I am human (beta) and gets prompted for a security device.
  4. User decides to use a Hardware Security Key.
  5. The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC).
  6. A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test.

Note the mention in that list of a Hardware Security Key. Cloudflare will initially support three - YubiKeys, HyperFIDO keys; and Thetis FIDO U2F.

“Completing this flow takes five seconds,” Meunier asserts in a post on Cloudflare’s blog. “More importantly, this challenge protects users' privacy since the attestation is not uniquely linked to the user device.”

Cloudflare will offer Cryptographic Attestation of Personhood on a limited basis in English-speaking regions to test the feasibility of its idea.

Meunier’s post nods to the fact that some smartphones can now perform the same function as a security key but stops short of suggesting that Cloudflare will use them.

The Register fancies that could be a sticking point for Cloudflare’s ideas, as physical security keys don’t come cheap – we’ve struggled to find any under US$20 – and most are USB-A devices at a time when such ports are becoming less prevalent.

Does Cloudflare really think dongles are less painful than CAPTCHAS? Let us know in the Poll below.®

JavaScript Disabled

Please Enable JavaScript to use this feature.

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022