Cloudflare wants to kill the CAPTCHA using hardware security keys

nanoguy

Posts: 764   +12
Staff member
Something to look forward to: Most of us have had to deal at least a few times with CAPTCHAs on websites that wouldn't load because of a suspicion that we might be...robots. Solving those CAPTCHAs is a frustrating process, and Cloudflare says it has an idea on how to minimize and eventually eliminate them.

Cloudflare is one of the top providers of web infrastructure and security, content delivery, DNS, among others. The company has also been offering businesses bot management solutions -- including CAPTCHA (short for Completely Automated Public Turing test to tell Computers and Humans Apart) services -- but it has now decided to kill the need for it once and for all.

Cloudflare relied on Google's reCAPTCHA for years, but that left little room for customization and eventually raised some privacy concerns, as Google may use data from that service to train its visual identification systems for Waymo autonomous tech. That led to a move to hCaptcha last year, but the company did note at the time that CAPTCHAs are not ideal solutions and that it was working on a way to make them redundant.

CAPTCHAs are a big headache for users, as they take an average of 32 seconds to complete since they've gotten harder and harder over the years. A point can be made that in most cases they just serve to prove you have no visual disability or cognitive impairment, or even arguably that you are American.

Assuming the 4.6 billion Internet users stumble upon a CAPTCHA every 10 days, that would result in 500 human years being wasted every day to prove that we're human to a web service or another.

Businesses similarly hate the need for CAPTCHAs as they introduce a lot of friction for their users, potentially leading them to leave after dealing with the frustrating process of clicking on the right squares in a puzzle.

Cloudflare's proposed solution to this insanity is to have you prove your humanity by touching or looking at the device you're using, a system it calls "Cryptographic Attestation of Personhood." The company is first testing trusted security keys, which are specialized USB devices that have been around for a while and have become a popular choice for multi-factor authentication alongside password managers.

Examples include Yubico's Yubikeys, the Thetis Fido U2F, and the HyperFIDO security key. Cloudflare's new system is simple: when you get challenged on a website, all you have to do is click an "I am human" button, plug in a security key or tap it to an NFC-capable smartphone, and a resulting cryptographic attestation is sent to Cloudflare so that you can proceed to visit the website.

The company says the process shouldn't take more than five seconds, and this also protects your privacy since the attestation is not tied to your device in any way. Another advantage is that it doesn't involve the hassle of going through wrongly solved CAPTCHAs until you get one right.

On the other hand, Cloudflare admits this new system may fail to prove that you're a human, since all it really does right now is confirm that you're using a trusted security key. Still, it may be a step in the right direction, as CAPTCHAs can be fooled by artificial intelligence and incur a high cost to businesses who depend on them for an added layer of security.

If you want to try the proposed system for yourself, you can do so here. It should work on Windows, macOS, Ubuntu, iPhones and iPads that are updated to iOS 14.5, and Android phones running Android 10 or later. You can use any browser on most devices, but on Android you'll have to use Chrome. Keep in mind this is still in the experimental phase and might only be available in English-speaking regions, but Cloudflare says you can always reach out if you have specific needs you want to discuss.

Permalink to story.

 

R00sT3R

Posts: 419   +1,114
Personally, I'd like to to know the names of the snot-nosed millennials at Google HQ that came up with the 'Captcha' abomination and put them on trial for crimes against humanity.

Go out and get a real, productive job, useful to society, instead of coming up with vacuous group think ideas that nobody wants and just annoy the crap out of everyone, whilst spouting your 20 something narcissistic angst in the Google play area, whilst downing ethically sourced herbal tea and trying to out do each other with your levels of virtue signalling to your co-workers, on the latest trendy social cause on Twatter.

..bunch of wasters.

Yes, I hate Captcha, that much

/Rant.
 
Last edited:

Austinturner

Posts: 156   +159
Computer mouse with fingerprint reader?
Good or bad idea?
It doesn’t prove anything, remember a captcha tries to prove you are human, but a bot could simply store and resend a fingerprint message (much like the issue with cloudflare’s idea, but much easier).
Also, you don’t want to be sending your fingerprints to web services, they should stay on your device for security.
 

hahahanoobs

Posts: 3,343   +1,508
It doesn’t prove anything, remember a captcha tries to prove you are human, but a bot could simply store and resend a fingerprint message (much like the issue with cloudflare’s idea, but much easier).
Also, you don’t want to be sending your fingerprints to web services, they should stay on your device for security.
I never knew where device fingerprints were stored. Good to know. Thanks.
 

Theinsanegamer

Posts: 2,446   +3,596
Yes, lets start spreading our fingerprints all over google. Sounds like a great idea that cant possibly backfire.

Screw google and screw capatcha.
 

VEGGIM

Posts: 35   +7
I'm pretty sure the small issue is that you need money to buy a key. and they are like $20-$40. Who is going to pay that amount of money to access a single website?
 
Had to check if this article is from 1. April but it is not. Is this satire?

This is the dumbest approach to this problem I can imagine. Even if we say robots can't use USB ports (which they definitely can). A security key like YubiKey can surely be emulated without problem. The only purpose of these security tokens is to generate a seeded key without ever granting access to the seed. The seed is a random value and don't contains any information except the entropy it provides to the key generation function. The security token is not more then a temper proof micro controller with a bit of flash memory. There is no reason this couldn't be emulated by a computer.

This approach would probably not only be ineffective but would probably even be an much bigger obstacle for real users (which have to buy this key) then for robots which would just emulate the key function and simulate a keyboard input. This is dumb.
 

bviktor

Posts: 398   +701
Dear Cloudflare: the LAST thing people want is another gadget they need to carry with themselves everywhere. Trust me, I tried really hard, but at the end of the day, I just gave up using U2F too. And I'm a security-centric professional.
 

captaincranky

Posts: 16,696   +5,458
So since we would have to buy one of these keys, (presumably individualizes), does that mean porn would no longer be free?
 

captaincranky

Posts: 16,696   +5,458
Captcha is the stupidest thing ever.
And they can be so ridiculously subjective.View attachment 87727
Isn't that the whole point, for them to be subjective?
If you can't figure out how many squares contain a piece of the fire hydrant, you're either likely not human, or you need glasses.

If the latter, (needing glasses) is the issue, then you've probably been overindulging in what's behind the Captcha
 

captaincranky

Posts: 16,696   +5,458
Assuming the 4.6 billion Internet users stumble upon a CAPTCHA every 10 days, that would result in 500 human years being wasted every day to prove that we're human to a web service or another.
500 years as opposed to what? We likely waste millions of "human years" each and every day, blabbering on sell phones, window shopping at Amazon, not to mention the hours wasted posting at topic websites. (You know who you are) ;)

How many "human years" are wasted pissing and moaning about the unavailability of video cards, PS-5s, ad nauseum, daily.?
 

Aceseven

Posts: 22   +45
Im torn,

I deal with yubikeys for my job and since my only pc at home is my desktop connected to a massive tv for movies, if moving to touch it to not deal with captchas is the choice then I'll take the damn yubikey.

captchas are retarded and these days it isnt just one, they keep popping in new images and bs, at this rate ive just settled that in the future the internet will be useless cause you'll spend all day verifying yourself.

dont even get me started on 2 factor, putting in my password on a site just to hear my phone ding way the f**k down the hall in a coat pocket sends me into a blind rage.
 

captaincranky

Posts: 16,696   +5,458
Im torn,

I deal with yubikeys for my job and since my only pc at home is my desktop connected to a massive tv for movies, if moving to touch it to not deal with captchas is the choice then I'll take the damn yubikey.

captchas are retarded and these days it isnt just one, they keep popping in new images and bs, at this rate ive just settled that in the future the internet will be useless cause you'll spend all day verifying yourself.

dont even get me started on 2 factor, putting in my password on a site just to hear my phone ding way the f**k down the hall in a coat pocket sends me into a blind rage.
Have you considered the fact that if you allow yourself to be identified by hardware means, it would render all VPNs practically useless?

I think I'll go out a buy a cellphone with GPS, so that I can whimper and whine that I"m being tracked, and people know where I am, and have been

The way I figure it is this, if you're too dumb, blind, or lazy to get past the Captcha, you don't deserve to get to the content. (Whatever that may be).
 
Last edited:
Dear Cloudflare: the LAST thing people want is another gadget they need to carry with themselves everywhere. Trust me, I tried really hard, but at the end of the day, I just gave up using U2F too. And I'm a security-centric professional.
I work in IT too and I see no problem in carrying a YubiKey with me. It basically has the same form factor of a regular key and is much more easy and secure to use then TOTP.

All this still don't change anything about the fact that it is technically BS to use it this way. The only thing which makes the key special is that the seed can't be accessed by the computer. When this kind of attack is no concern the device can be emulated without problems. Websites won't be able to detect if there is a physical security key involved or not and even if they did they would just verify the computer has actually an USB port.

Instead of using Cloudflare with Captchas websites should be designed to only serve static content to unauthenticated users and do proper caching because this is the actual purpose of Cloudflare Captchas. To prevent DDOS attacks.
 

captaincranky

Posts: 16,696   +5,458
I work in IT too and I see no problem in carrying a YubiKey with me. It basically has the same form factor of a regular key and is much more easy and secure to use then TOTP.

All this still don't change anything about the fact that it is technically BS to use it this way. The only thing which makes the key special is that the seed can't be accessed by the computer. When this kind of attack is no concern the device can be emulated without problems. Websites won't be able to detect if there is a physical security key involved or not and even if they did they would just verify the computer has actually an USB port.

Instead of using Cloudflare with Captchas websites should be designed to only serve static content to unauthenticated users and do proper caching because this is the actual purpose of Cloudflare Captchas. To prevent DDOS attacks.
If you don't mind me asking, how did you get my user name as being quoted, with someone else's post under it?

Since you're in IT, should we call that a "redirect"?

Now, M$ can identify the hardware in any system in which Windows is installed. Ir's how they know that Windows is activated. Why do you suppose that other servers couldn't do the same damned thing. It's not like corporations and file sharing platforms have any ethics, other than those which are imposed upon them.

I still say, if you're forced to use hardware to access any site, then VPN becomes useless.
 
If you don't mind me asking, how did you get my user name as being quoted, with someone else's post under it?

Since you're in IT, should we call that a "redirect"?

Now, M$ can identify the hardware in any system in which Windows is installed. Ir's how they know that Windows is activated. Why do you suppose that other servers couldn't do the same damned thing. It's not like corporations and file sharing platforms have any ethics, other than those which are imposed upon them.

I still say, if you're forced to use hardware to access any site, then VPN becomes useless.
I don't know how this happened. Probably a bug somehow related to displaying this website on a crappy phone.

I actually replied to a comment about this not being practical because people have to buy these keys.

To your question. I think this heavily depends on what the use of an VPN is in your opinion. VPNs are usually meant to encrypt traffic when using an unsafe network and to access resources of another network. This purpose of course isn't touched. If we are speaking about VPNs for anonymization I think they should be only used to bypass geoblocking anyway. VPNs don't offer a lot of security in terms of anonymity. They are probably even less secure then the Incognito mode (which don't offer a lot of security) due to all properties of the browser being exposed. If you want privacy you need to use something like the Tor Browser which not only hides your IP but your browser fingerprint too. Anyway. I think everyone able to setup Tor would probably also find out how to bypass this. You could flash the seed of your security key after every session or you could just use a software to emulate this key in the first place.
 

Avro Arrow

Posts: 1,249   +1,384
TechSpot Elite
This idea is just beyond stupid.
Sure, cloudflare wants to make an algorithm to get around captchas. Let's say that they're successful. Then some bot griefers get ahold of it and suddenly sites are going down left and right from bot attacks.

This is one of the worst ideas that I've ever seen when it comes to internet usage. People are lazy and impatient so let's get rid of the one thing that actually prevents bots from doing damage. The only reason that captchas have gotten more difficult is because bot programmers have managed to make better bots. As is typical with ignorant and self-centred people, users assume that the sites using captchas are just doing it to be a pain in their posteriors. It never occurs to them that the sites DON'T want to use captchas because they know that users find them annoying and they have to pay a subsciption fee to have captchas on their sites.

Here's a better idea, how about spending the time and effort to remove the reason that captchas exist in the first place? The answer - because a cure is never as profitable as a treatment.
 

Wereweeb

Posts: 28   +52
I still have zero clue as to what this is supposed to mean. If it means I need a unique hardware key, they can **** right off.

And I never had any real problem with Captchas. Remember to turn on your brains before doing them.