Awani Review

Complete News World

Cloudflare would like to make captchas outdated

Cloudflare is testing the ability to replace security keys with captcha. This is a set of Turing tests that automatically differentiate between a human user and a computer. CAPTCHA tests are fully automated, requiring only seconds of user time. The goal is to reduce the cost associated with manual discovery of user identity and increase performance, that is, the number of forms submitted by real people and processed by the website per unit of time.

CAPTCHA (short for “Fully Automated General Turing Test for Informing Computers and Humans Apart”) is a security measure of the “Question and Answer Authentication” type. Verification usually uses the human image or the ability to analyze sound. Initially, a CAPTCHA test can consist of two parts: a random sequence of letters and / or numbers that appear garbled, and a text box. To pass the test, all you have to do is type the letters from the image into the text box. Some websites have preferred to display an image with a math question.

But in 2017, that visual measure was bypassed when Google introduced the Captcha test which only uses a simple checkbox. Google has made it clear that it analyzes all user behavior prior to clicking. This should especially include mouse tracking technologies. It was then that the tests were born as the internet user had to look at pictures and choose things like cars, bridges or bicycles.

Cloudflare would like to get rid of it. With Thibault Meunier, an in-house research engineer, the company explains:

“Based on our data, it takes an average of 32 seconds for a user to complete a CAPTCHA. There are 4.6 billion internet users in the world. We assume that an average internet user sees approximately one CAPTCHA every 10 days.

See also  Redemption of the Hero Quebec Magazine

“This very simple calculation of the back of the envelope equates to somewhere in the range of 500 human years lost every day – just so that we can prove our humanity.

Today, we’re launching an experiment to put an end to this madness. We want to get rid of CAPTCHA completely. The idea is very simple: a real human should be able to touch or look at their devices to prove that they are human, without revealing their identity. We want you to be able to prove that you are a human without revealing which human you are! You may ask if this is possible? The answer is yes! We started with reliable USB drives (like YubiKey) that have been around for a while, but more and more phones and computers come with this capability by default. “

CAPTCHA without picture: a personal encryption certificate

The solution that Cloudflare suggested is a case-to-case crypto certification. From a user’s point of view, this certificate works as follows:

  1. The user accesses a website that is protected with a state-of-the-art encryption certificate, such as
  2. Cloudflare is running a test.
  3. The user clicks on I am human (beta) and prompts him for a security device.
  4. The user decides to use the machine’s security key.
  5. User connects the device to the computer or clicks on the phone for wireless signing (using NFC).
  6. Cloudflare is sent an encryption certificate, which allows the user to log in after verifying the user’s attendance test.

According to Thibault Meunier, this flush takes five seconds to complete. Most importantly: “This challenge protects user privacy because authentication is not only linked to the user’s device. All device manufacturers that Cloudflare trusts are part of the FIDO Alliance. As such, each device key shares an ID with other keys made in the same group. From Cloudflare’s perspective, your key looks like any other key in the package. ”

See also  While Suda51 dreams of Marvel, Grasshopper has three new licenses in the works

It takes a maximum of three clicks to complete the person-status cipher certificate: “No loop, the user is invited to click on buses 10 times in succession”.

Although there are a variety of hardware security keys, Cloudflare’s initial deployment is limited to a few devices: YubiKeys; HyperFIDO keys and Thetis FIDO U2F keys.

Encrypted authentication on a person’s status is based on WebAuthn. This is an API that has been standardized in W3C and has already been implemented in most modern web browsers and operating systems. It aims to provide a standard interface to authenticate users on the web and take advantage of the encryption ability of their devices.


“Designing a challenge to protect millions of Internet features is no easy task. In the current configuration, we believe that a cryptic person-status certificate provides robust guarantees of security and usability over traditional CAPTCHA challenges. In a preliminary user study, users indicated a strong preference for touching their device key rather than clicking Images However, we know that this is a new system that could be improved upon.

“This experience will be available on a limited basis in English speaking areas. This allows us to diversify the user group and test this process in different places. However, we recognize that this coverage is insufficient and intend to conduct further testing. If you have specific needs,” Please feel free to contact us.

Another issue that we are watching closely is security. The security of this challenge relies on core hardware provided by trusted manufacturers. We are convinced that they are safe. If there is a breach, we will be able to quickly revoke the licensing of public keys from manufacturers at various levels of accuracy. “

See also  At the age of eleven, he found a loophole in the merchant site lottery and bought an RTX 3090

Source : Cloudflare

And you?

What do you think about CAPTCHA? How often do you experience it while browsing the web (rarely, sometimes, often, all the time)?
What do you think of Cloudflare’s solution?

See also:

Cloudflare has decided to abandon reCAPTCHA by Google in favor of the alternative service hCaptcha because Google will charge a fee for using the service.
“CAPTCHA tests don’t recognize us as human beings,” Australian Associations of Persons with Disabilities want to see them disappear from the web