Cloudflare declares war on CAPTCHAs

Looks to hardware security key systems to tell humans and robots apart

Content delivery network (CDN) operator Cloudflare is looking to make CAPTCHAs a thing of the past, replacing them with a hardware-based system it calls ‘Cryptographic Attestation of Personhood.’

The company claims that 500 human years are wasted every single day by Internet users undertaking CAPTCHAs.

Declaring the “beginning of the end for fire hydrants, crosswalks, and traffic lights on the Internet,” Cloudflare research engineer Thibault Meunier said in a blog post that a real human “should be able to touch or look at their device to prove they are human, without revealing their identity.”

Meunier promised that Cryptographic Attestation of Personhood would require “at most three clicks.”

“For Cloudflare, it always comes back to helping build a better Internet. The very idea that we’re all wasting 500 years per day on the Internet — that nobody had revisited the fundamental assumptions of CAPTCHAs since the turn of the century — seemed absurd to us.”

Are you alive?

'Completely Automated Public Turing test to tell Computers and Humans Apart', otherwise known as CAPTCHA is an automated test Internet users must undertake in order to access certain websites or platforms.

Usually, it tasks users with picking certain images from a collection of pictures, with those selected containing a certain object, such as a fire hydrant, a car, or a traffic light.

Websites deploy these to establish whether users are ‘human’ in an attempt to prevent automated scripts from accessing their platforms – every task is designed to be impossible to complete through computing, event for a state-of-the-art machine learning system.

But the puzzles are often infuriating, with many users unsure whether to select a certain image containing a small portion of the object they’re tasked with finding, as it bleeds onto another image.

Instead, Cloudflare proposes a switch to hardware keys and browser technologies like WebAuthn. The company has kicked off the initiative with USB security keys, with support for YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys, which can be tested here.

A user looking to access a site with a Cryptographic Attestation of Personhood in place will be met with an 'I am a human' button prompt, with a security device required. Once a hardware security key is plugged into a device, cryptographic attestation is pinged to Cloudflare, which then verifies the user's test and allows them entry.

The company says the process is more privacy-friendly, safer, and less cumbersome than CAPTCHAs.

Cloudflare’s Cryptographic Attestation of Personhood experiment “could help further reduce the cognitive load placed on users as they interact with sites under strain or attack,” Christopher Harrell Yubico’s chief technology officer, said.

“I hope this experiment will enable people to accomplish their goals with minimal friction and strong privacy, and that the results will show it is worthwhile for other sites to consider using hardware security for more than just authentication.”

One of the most prominent CAPTCHA services, Google's reCAPTCHA API, which is used by various sites to distinguish human users from bots, actually helps train the company's machine learning models.

Google is quite transparent about this fact, admitting on the reCAPTCHA website that "every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This, in turn, helps preserve books, improve maps, and solve hard AI problems."