Cloudflare: It’s time to replace CAPTCHAs as the go-to for human verification

I think we’re all familiar with the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) test—the typical Internet user encounters one every 10 days. The test is meant to verify you as a human user (as opposed to a bot), but to be frank with you, I can’t even count the number of times that I’ve failed a CAPTCHA test due to a misclick. In fact, Cloudflare recently estimated that around 500 human years are wasted every single day—just to prove “humanity”.

The DNS experts recently shared an experimental verification method to “end this madness” and replace CAPTCHAs, unveiling a system that utilises trusted USB keys to help users prove… that they are human. In the future, Cloudflare says that phones and computers will come with this ability by default, too.

“Today marks the beginning of the end for fire hydrants, crosswalks, and traffic lights on the Internet.”

An alternative: Cryptographic Attestation of Personhood

This system essentially supports a number of USB security keys (such as YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys), and relies on Web Authentication Attestation. This is basically an API that has already been implemented as a standard on many modern web browsers and operating systems, and it uses the cryptography capabilities of devices to authenticate users on the web.

Technical jargon aside, this is Cloudflare’s elevator pitch:

“The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer. The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate.”

Cloudflare says that privacy is still at the forefront of their thinking, and the aim of the experimental method isn’t to know which human you are, merely that you are actually a human user. This means that the attestation process does not include biometric authentication, although Cloudflare still needs to know who the manufacturer of your device is to authenticate you.

SEE ALSO:  Got an Oppo Reno 5 or A74 series phone? You can "add" more RAM with a software update

However, Cloudflare admits that there is still room for error/abuse when it comes to its new system, such as the possibility of “automated button-pressing systems”. Something like a drinking bird mechanism could feasibly press a capacitive sensor, and essentially authenticate the system. Still, this would still be slower compared to professional CAPTCHA-solving services, and Cloudflare says that there are existing safeguards in place to mitigate the consequences here.

In any case, the project is still at the experimental stage, and only USB and NFC security keys work for now. You can try out the Cryptographic Attestation of Personhood here, and provide feedback here. Or, if you think you have the skills to help the team get rid of CAPTCHAs forever (that’s the dream, isn’t it), the Cloudflare team is actually hiring now.

So, what do you think?