Cloudflare is currently testing a new technology to build security keys that the company intends would replace one of the most irritating aspects of browsing the Web: CAPTCHAs. The latter are used to detect bots crawling websites and are often implemented to prevent misuse of online services.
These tests, which require looking at pictures and identifying objects such as cars, bridges or bicycles, waste time and interfere with navigation. To highlight the time lost due to these tests, Cloudflare stated that “500 years are wasted every day, just for us to prove our humanity”, based on the following calculations: 32 seconds on average to complete a CAPTCHA, a test performed every 10 days, and 4.6 billion Internet users worldwide. On Thursday, Cloudflare research engineer Thibault Meunier said in a blog post that the company is “launching an experiment to end this madness” and get rid of CAPTCHAs altogether.
The way to achieve this? Use security keys as a way to prove that a human is accessing a particular website
According to Meunier, Cloudflare will start using trusted security keys – such as the YubiKey range, HyperFIDO keys and Thetis FIDO U2F keys – and will use these physical authentication devices as “cryptographic attestation of human identity”.
Cloudflare, this is how the alternative to CAPTCHAs works
Cloudflare explains how security keys work: a user visiting a website is prompted to click a button like “I am human” and then he is asked to use a security device to prove his identity. A hardware security key is then inserted into your PC or activated on a mobile device to provide a signature – using NFC wireless technology in the latter case – and a cryptographic attestation is then sent to the website.
According to Cloudflare, the test requires no more than three clicks and an average of five seconds, which could be a big improvement over the CAPTCHA’s 32-second average.
The personality test is based on the Web Authentication Attestation API (WebAuthn). All browsers on Ubuntu, macOS, Windows and iOS 14.5, as well as Chrome on Android v.10 and above are compatible. On the website cloudflarechallenge.com you can already test the alternative to the CAPTCHA.
“More importantly, this test protects user privacy since the attestation is not uniquely tied to the user’s device,” observes Cloudflare. “All device manufacturers that Cloudflare trusts are part of the FIDO Alliance. Therefore, each dongle shares its identifier with other dongles made in the same batch.” From Cloudflare’s point of view, your key looks like all the other keys in the package.”
