Cloudflare wants to kill the CAPTCHA

Security keys could not only bolster authentication but may also remove one of the most annoying aspects of the internet.
Written by Charlie Osborne, Contributing Writer

Cloudflare is testing out the possibility of security keys replacing one of the most irritating aspects of web browsing: the CAPTCHA. 

CAPTCHAs are used to catch out bots that are trawling websites and are often implemented to prevent online services from being abused. 

These irritating tests, which require you to look at images and pick out objects such as cars, bridges, or bicycles, take up time, frustrate us, and disrupt our browsing activities. You're also more likely to see them when you are using a virtual private network (VPN). 

"CAPTCHAs are effectively businesses putting friction in front of their users, and as anyone who has managed a high-performing online business will tell you, it's not something you want to do unless you have no choice," Cloudflare says.

To highlight the amount of time lost to these tests, Cloudflare said that based on calculations of an average of 32 seconds to complete a CAPTCHA, one test being performed every 10 days, and 4.6 billion internet users worldwide, roughly "500 human years [are] wasted every single day -- just for us to prove our humanity."

On Thursday, Cloudflare research engineer Thibault Meunier said in a blog post that the company was "launching an experiment to end this madness" and get rid of CAPTCHAs completely. 

The means to do so? Using security keys as a way to prove we are human. 

Read on: Best security key in 2021

According to Meunier, Cloudflare is going to start with trusted security keys -- such as the YubiKey range, HyperFIDO keys, and Thetis FIDO U2F keys -- and use these physical authentication devices as a "cryptographic attestation of personhood."

This is how it works: A user is challenged on a website, the user clicks a button along the lines of "I am human," and is then prompted to use a security device to prove themselves. A hardware security key is then plugged into their PC or tapped on a mobile device to provide a signature -- using wireless NFC in the latter example -- and a cryptographic attestation is then sent to the challenging website. 


Cloudflare says the test takes no more than three clicks and an average of five seconds -- potentially a vast improvement on the CAPTCHA's average of 32 seconds. 

"More importantly, this challenge protects users' privacy since the attestation is not uniquely linked to the user device," Cloudflare notes. "All device manufacturers trusted by Cloudflare are part of the FIDO Alliance. As such, each hardware key shares its identifier with other keys manufactured in the same batch. From Cloudflare's perspective, your key looks like all other keys in the batch."

The personhood test relies on the Web Authentication (WebAuthn) Attestation API. All browsers on Ubuntu, macOS, Windows, and iOS 14.5, as well as Chrome on Android v.10+, are compatible. 

You can access cloudflarechallenge.com to try out the system. As the rollout is still in its experimental phase, Cloudflare says it is currently in the process of integration with existing challenges -- but we will likely spot it more often over time. 

"We want to know that you're human," Meunier says. "But we're not interested in which human you are."

In related news this week, GitHub announced security key support for SSH Git operations.

The code repository platform said that it eventually hopes to move away from passwords altogether and supporting security keys is a necessary step in the journey -- as well as one that can help protect developers now against accidental exposure, account compromise, and malware. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards