Cloudflare says it’s time to end CAPTCHA ‘madness’
Launches new security key-based replacement
Cloudflare, which you may be familiar with as a provider of DNS services or as the company that tells you why the website you clicked on isn't loading, wants to replace the "madness" of CAPTCHAs with an entirely new system.
CAPTCHAs are those tests that you must complete, frequently when attempting to log into a service, in which you must click images of objects such as buses, crosswalks, or bicycles to demonstrate that you are a human. (CAPTCHA, in case you didn't know, stands for "Completely Automated Public Turing Test to Tell Computers and Humans Apart.") The issue is that they add a lot of friction to web browsing and can be frustrating to solve — I'm sure I'm not the only person who has frustratedly failed a CAPTCHA because I didn't see the corner of a crosswalk in one image.
Cryptographic Attestation of Personhood
Cloudflare says in a blog post that it aims to “completely eliminate CAPTCHAs” by replacing them with a new way to verify your human identity by touching or looking at a device using a system called “Cryptographic Attestation of Personhood.”
The entire process took less than a second, and it is quite pleasant not to have to puzzle over grainy images of buses and bus-like objects. Additionally to the speed, this new method may provide significant accessibility benefits, as individuals with visual disabilities may be unable to complete CAPTCHAs in their current form.
In a nutshell, your device contains an embedded secure module that is encrypted with a unique secret created by your manufacturer. The security module is capable of demonstrating that it is the owner of such a secret without disclosing it. Cloudflare will request proof of your manufacturer's legitimacy.
While this is an intriguing concept, it is unlikely to spell the end of CAPTCHAs as we know them. For one thing, you're unlikely to see the prompt everywhere, as Cloudflare describes it as an experiment available "on a limited basis in English-speaking regions" at the moment. Additionally, it works with a limited set of hardware at the moment: YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys.
Cloudflare promises to "look into adding additional authenticators as soon as possible." That could include your phone: Cloudflare suggests tapping a phone to a computer and transmitting a wireless signature via NFC. Google can now treat both iPhones and Android phones as physical security keys; if Google and Apple adopt Cloudflare's method, the barrier to entry for users will be significantly reduced, as smartphones are far more prevalent than security keys.
Cloudflare’s System May Actually Be A Worse Solution
According to one critic, Cloudflare's system may actually be a worse solution. As Ackermann Yuriy (CEO of consulting firm Webauthn Works) points out, "attestation does not prove anything except the device model," which means that it does not establish whether or not someone using a device for authentication is, in fact, a human.
Cloudflare effectively admits this in its own blog post, stating that a drinking bird (those bird toys that repeatedly dip their beaks in water) could press a touch sensor on a security key, passing the authentication test. If the purpose of CAPTCHAs is to prevent bot farms from taking control of websites, we may need to consider whether bot farms equipped with jury-rigged security key devices (or worse) will exploit this vulnerability.
Cloudflare is not always positively associated with CAPTCHAs; for example, in April 2020, the company switched from Google's reCAPTCHA to a service provided by hCaptcha, and not everyone was pleased:
CAPTCHAs also assume that website owners desire relatively anonymous traffic, but anonymous identity may be irrelevant if a website has your actual identity via login information you've provided. And with the recent backlash against ad targeting, sparked in large part by Apple's massive new privacy feature in iOS 14.5 that asks users if they want each app to track them across the web, it's possible that website providers will gravitate toward logins regardless.
Though it may seem inconvenient to have to deal with additional logins (which is much easier to do with a good password manager! ), that shift could, counter intuitively, have the potential benefit of pushing us toward a passwordless future even sooner. If more services push for direct logins, this could result in a greater number of them supporting security keys rather than passwords. Additionally, more sites that support security keys may exert pressure on others to do so as well, similar to the trend toward two-factor authentication via phones.
Courses and Certification
Fundamentals of Science and Technology
Information Security and Cyber Law
While we are not yet in a password-free future, Cloudflare's proposed CAPTCHA replacement could be a first step in that direction.
