Cloudflare will bring about the end of CAPTCHA forms. Cloudflare, the company that we know more as a DNS services provider or tells you why a website you want to enter is not loaded, is developing a new system that will completely end the CAPTCHA craze on the web.
CAPTCHAs are tests that you usually need to do while trying to log into a service that ask you to click on images of things like buses, crosswalks, or bicycles to prove you are human. (For those who don’t know, CAPTCHA is an abbreviation of the term “Fully Automated General Turing Test to Separate Computers and People”.) The problem is that CAPTCHAs make a lot of trouble using the web and sometimes it can be difficult to solve tests.
Cloudflare, who publishes a blog post on the subject, envisions using a system called “Cryptographic Proof of Personality”. It will present a new way to prove that you are a human by touching or looking at a device in this system. Thus, the company says it aims to “get rid of CAPTCHAs completely”. The new system currently supports only a limited number of USB security keys such as YubiKeys. However, you can test the Cloudflare system for yourself on the company’s website.
The company’s website provides information on how the system works in the background. Cloudflare describes the new method as follows:
The summary of the system is that your device has an embedded secure module that contains a unique secret sealed by your manufacturer. The security module can prove that you have such a secret without revealing it. Cloudflare will ask you for proof and check if your manufacturer is legitimate.
You can read the detailed description of the system on the company’s blog.
Although an interesting idea, this proposed system may not be the end of the CAPTCHAs we know yet. First, Cloudflare says it’s just an experiment right now, so you probably won’t see this new system in many places. And it is stated that the new system is available “on a limited basis in English-speaking areas”. And in its current state, it only works with a limited set of hardware: YubiKeys, HyperFIDO switches, and Thetis FIDO U2F switches.
Cloudflare promises to “try to add other authenticators as soon as possible.” This could possibly extend to your phone as well: Cloudflare also considers the possibility of touching a phone to their computer to transmit a wireless signature using NFC. Google can now use both iPhones and Android phones as physical security keys. If Google and Apple use the Cloudflare method, since smartphones are much more common than security keys, this method can significantly reduce the entry barrier to using it.
However, according to one criticism, Cloudflare system may actually offer a worse solution. As Ackermann Yuriy, CEO of consulting firm Webauthn Works points out, “verification does not prove anything other than the device model,” meaning it does not prove whether someone using a device for authentication is actually a human.
Cloudflare acknowledges this in his blog post, saying that a bird drinking water (bird toys that submerge its beaks repeatedly in water) can pass the authentication test by pressing the touch sensor on a security switch. If the goal of CAPTCHAs is to prevent robot user farms from infringing websites, we may need to consider whether robot farms equipped with specially equipped safety switch devices (or worse) would provide an advantage.