Popular CDN and DNS service provider Cloudflare wants to put an end to CAPTCHAs, claiming that humanity wastes 500 hours staring at the annoying “prove you’re not a robot” tests every day. And while the company’s proposed replacement isn’t exactly perfect, it’s a step in the right direction that could lay the groundwork for future authentication standards.
CAPTCHA is a “Completely Automated Public Turing test to tell Computers and Humans Apart.” Like a bouncer at a nightclub, CAPTCHA uses simple questions or puzzles to prevents robots from overrunning websites. But CAPTCHA sucks. The tests are slow and confusing, they don’t always work correctly, and they’re not always accessible to those who are visually impaired.
Google is trying its hardest to fix CAPTCHA, but Cloudflare wants to kill it off and replace it with something called “Cryptographic Attestation of Personhood,” which is a fancy way of saying “a piece of hardware that proves you’re a human.” Unsurprisingly, Cloudflare is focusing on USB security keys in its early tests for this authentication method.
If you own a YubiKey, HyperFIDO key, or Thetis FIDO U2F security key, then you can test Cloudflare’s impressive new authentication system now. Simply connect the USB security key to your computer, give the website permission to see your key, click the key, and then you’re off to the races (well, you’re redirected back to Cloudflare’s blog). Not only is the system fast, but it’s accessible to people who are visually impaired. It also protects user privacy, as the security key that vouches for your humanity isn’t uniquely tied to your name or device.
It wouldn’t take much work for the technology to support mobile phones, which can stand-in for security keys thanks to Google. Cloudflare also proposes a future where manufacturers build “Cryptographic Attestation of Personhood” hardware directly into devices. These chips could verify that your computer is real and unique using a special code associated with the manufacturer.
But are these authentication methods effective? What’s stopping a robot from using (or spoofing) a USB security key, or any other “attestation” tools? As Webatuhn Works CEO Ackermann Yuriy points out, FIDO keys are not only easy to spoof, but they also work incredibly fast and are relatively anonymous, so a bot farm hook up to a handful of keys could easily overrun a website protected with Cloudflare’s system.
People are already plotting elaborate schemes to break past Cloudflare’s proposed CAPTCHA replacement, an indicator that “Cryptographic Attestation of Personhood” isn’t the future, at least not in its current sate. But the authentication method is incredibly convenient, fairly private, and fairly easy to implement. In short, the floodgates are open, it’s time for CAPTCHA to die, and Cloudflare is taking the first step in the right direction.