Just In: Cloudflare says it’s time to end CAPTCHA ‘madness’, launches new security key

Cloudflare, which you may know as a DNS service provider or the company that tells you why the website you clicked on won’t load, wants to replace the “craziness” of CAPTCHAs with an entirely new system.

CAPTCHAs are those tests you have to take, usually, when attempting to log into a service, that asks you to click images of things like buses, crosswalks, or bicycles to prove that you’re human.

(CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart,” in case you didn’t know.) The problem is that they add a lot of friction to web use and can be difficult to solve at times — I’m sure I’m not the only person who has frustratingly failed a CAPTCHA because I didn’t see that corner of a crosswalk in one image.

Cloudflare says in a blog post that it wants to “get rid of CAPTCHAs completely” by replacing them with a new way to prove you are a human by touching or looking at a device, which it calls “Cryptographic Attestation of Personhood.” It currently only supports a limited number of USB security keys such as YubiKeys, but you can test Cloudflare’s system on the company’s website right now.

Here’s the company’s “elevator pitch” for what’s going on behind the scenes to prove you’re a human using its new method:

The short version is that your device has an embedded secure module that contains a unique secret that your manufacturer has sealed. The security module is capable of demonstrating ownership of such a secret without revealing it. Cloudflare requests proof and verifies that your manufacturer is legitimate.

A much more detailed explanation can be found on the company’s blog.

While it’s an intriguing concept, it’s possible that CAPTCHAs as we know them will not be phased out anytime soon. For one thing, you won’t see the prompt everywhere, as Cloudflare describes it as an experiment that is currently available “on a limited basis in English-speaking regions.” In its current state, it only supports a small set of hardware: YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys.

Cloudflare promises to “look into adding additional authenticators as soon as possible.” This could potentially extend to your phone: Cloudflare suggests tapping a phone to their computer to send a wireless signature via NFC. Google can now treat both iPhones and Android phones as physical security keys; if Google and Apple adopted Cloudflare’s method, it could significantly lower the barrier to use, as smartphones are far more common than security keys.

According to one critic, Cloudflare’s system may actually be a worse solution. As Ackermann Yuriy (CEO of consulting firm Webauthn Works) points out, “attestation does not prove anything but the device model,” which means it does not prove whether or not someone using a device for authentication is, in fact, a human.

In its own blog, Cloudflare essentially admits this, stating that a drinking bird (those bird toys that repeatedly dip their beaks into water) could press a touch sensor on a security key, thereby passing the authentication test. If the goal of CAPTCHAs is to keep bot farms from taking over websites, we may need to consider whether bot farms equipped with jury-rigged security key devices (or worse) will take advantage.

Cloudflare isn’t always associated with CAPTCHAs positively; for example, in April 2020, the company switched from Google’s reCAPTCHA to a service from the captcha, and some weren’t pleased:

CAPTCHAs also assume that website owners want to allow relatively anonymous traffic, but anonymous identity may be meaningless if a website has your actual identity based on the login information you’ve provided. And, given the recent push against ad targeting, fueled in large part by Apple’s massive new privacy feature in iOS 14.5, which asks users if they want each app to track them around the web, it’s possible that website providers will shift more toward logins anyway.

Though it may appear to be a hassle to have to deal with even more logins (which is much easier to do with a great password manager! ), that shift may, counterintuitively, have the potential benefit of pushing us even closer to a passwordless future. If more services push for direct logins, it’s possible that more of them will support security keys instead of passwords. Furthermore, more sites that support security keys may put pressure on others to do so as well, similar to the trend toward two-factor authentication with phones.