Cloudflare wants to kill the CAPTCHA using hardware security keys

Most of us have had to deal at least a few times with CAPTCHAs on websites that wouldn’t load because of a suspicion that we might be…robots. Solving those CAPTCHAs is a frustrating process, and Cloudflare says it has an idea on how to minimize and eventually eliminate them.

Cloudflare is one of the top providers of web infrastructure and security, content delivery, DNS, among others. The company has also been offering businesses bot management solutions — including CAPTCHA (short for Completely Automated Public Turing test to tell Computers and Humans Apart) services — but it has now decided to kill the need for it once and for all.

Cloudflare relied on Google’s reCAPTCHA for years, but that left little room for customization and eventually raised some privacy concerns, as Google may use data from that service to train its visual identification systems for Waymo autonomous tech. That led to a move to hCaptcha last year, but the company did note at the time that CAPTCHAs are not ideal solutions and that it was working on a way to make them redundant.

CAPTCHAs are a big headache for users, as they take an average of 32 seconds to complete since they’ve gotten harder and harder over the years. A point can be made that in most cases they just serve to prove you have no visual disability or cognitive impairment, or even arguably that you are American.

Assuming the 4.6 billion Internet users stumble upon a CAPTCHA every 10 days, that would result in 500 human years being wasted every day to prove that we’re human to a web service or another.

Businesses similarly hate the need for CAPTCHAs as they introduce a lot of friction for their users, potentially leading them to leave after dealing with the frustrating process of clicking on the right squares in a puzzle.

Cloudflare’s proposed solution to this insanity is to have you prove your humanity by touching or looking at the device you’re using, a system it calls “Cryptographic Attestation of Personhood.” The company is first testing trusted security keys, which are specialized USB devices that have been around for a while and have become a popular choice for multi-factor authentication alongside password managers.

Examples include Yubico’s Yubikeys, the Thetis Fido U2F, and the HyperFIDO security key. Cloudflare’s new system is simple: when you get challenged on a website, all you have to do is click an “I am human” button, plug in a security key or tap it to an NFC-capable smartphone, and a resulting cryptographic attestation is sent to Cloudflare so that you can proceed to visit the website.

The company says the process shouldn’t take more than five seconds, and this also protects your privacy since the attestation is not tied to your device in any way. Another advantage is that it doesn’t involve the hassle of going through wrongly solved CAPTCHAs until you get one right.

On the other hand, Cloudflare admits this new system may fail to prove that you’re a human, since all it really does right now is confirm that you’re using a trusted security key. Still, it may be a step in the right direction, as CAPTCHAs can be fooled by artificial intelligence and incur a high cost to businesses who depend on them for an added layer of security.

If you want to try the proposed system for yourself, you can do so here. It should work on Windows, macOS, Ubuntu, iPhones and iPads that are updated to iOS 14.5, and Android phones running Android 10 or later. You can use any browser on most devices, but on Android you’ll have to use Chrome. Keep in mind this is still in the experimental phase and might only be available in English-speaking regions, but Cloudflare says you can always reach out if you have specific needs you want to discuss.