captchas

Cloudflare Inc., a U.S.-based web infrastructure and website-security company wants to kill CAPTCHAs across the web and replace with it an entirely new system.

For those unaware, CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge-response test used in a computer program or system to determine whether or not the user is human.

According to Cloudflare, although CAPTCHAs strengthen the security of online services, they have a very real cost associated with them.

Based on the company’s data, it takes a user on average 32 seconds to complete a CAPTCHA challenge.

With 4.6 billion global Internet users, a typical Internet user sees approximately one CAPTCHA every 10 days, which is roughly 500 human years wasted every single day.

To avoid this, Cloudflare wants to get rid of CAPTCHAs with its new security system called the “Cryptographic Attestation of Personhood.”

In a recent blog post, Cloudflare explains how Cryptographic Attestation of Personhood works, which is as follows:

  1. The user accesses a website protected by Cryptographic Attestation of Personhood, such as com.
  2. Cloudflare serves a challenge.
  3. The user clicks I am human (beta) and gets prompted for a security device.
  4. User decides to use a Hardware Security Key.
  5. The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC).
  6. A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test.

When Cloudflare tested this flow, it took them just five seconds and three clicks to complete it. More importantly, this challenge protects users’ privacy since the attestation is not uniquely linked to the user device.

Currently, all device manufacturers trusted by Cloudflare are part of the FIDO Alliance. The devices that are supported in the initial rollout include YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys.

Those who have a compatible security key and wish to test the feature can do so from this website.

“Driving open authentication standards like WebAuthn has long been at the heart of Yubico’s mission to deliver powerful security with a delightful user experience,” said Christopher Harrell, Chief Technology Officer at Yubico.

“By offering a CAPTCHA alternative via a single touch backed by YubiKey hardware and public key cryptography, Cloudflare’s Cryptographic Attestation of Personhood experiment could help further reduce the cognitive load placed on users as they interact with sites under strain or attack.

I hope this experiment will enable people to accomplish their goals with minimal friction and strong privacy, and that the results will show it is worthwhile for other sites to consider using hardware security for more than just authentication.”

yubico hardware security key
Yubico hardware security key

The Cryptographic Attestation of Personhood depends on Web Authentication (WebAuthn) Attestation. This API aims to provide a standard interface to authenticate users on the web and use the cryptography capability of their devices.

The company says it works on all browsers on iOS 14.5, Windows, macOS, and Ubuntu. However, for phones running Android 10 and later, the feature works on Chrome.

It is important to note that since Cryptographic Attestation of Personhood is an experimental project from the Cloudflare Research Team, it currently works only on USB or NFC security keys.

If you wish to give feedback on the Cryptographic Attestation of Personhood, you can fill out Cloudflare’s Google Form: https://forms.gle/HQxJtXgryg4oRL3e8.