Cloudflare wants to kill the dreaded captcha for good

“Humanity wastes around 500 years a day on CAPTCHAs.”


Imagine if you had to go through obstacles to identify weird, curly letters and select a bunch of pictures with sidewalks before reading this article? CAPTCHAs – short for Fully Automated Public Turing Test for distinguishing between computers and humans – are boring and can be ridiculously difficult to solve. Regardless of that, most people just resign themselves to solving them before logging into their social media platforms, entering their bank details online, or even booking a movie ticket.

That is, until now.

According to performance and web security company Cloudflare, it takes about 32 seconds for a person to complete a CAPTCHA challenge. With 4.6 billion Internet users worldwide and each user interacting with a CAPTCHA every ten days, the need to prove our humanity has become very time consuming. It is therefore high time to put an end to the “madness” of CAPTCHA.

How Cloudflare wants to solve this problem

(Source package: Cloudflare)

To replace the existing system with a new way to distinguish between machines and humans, Cloudflare system, “Cryptographic Personality Attestation” would require the user to click on the “I am a human” button, followed by a prompt to select their security key, and plug in or press their hardware security key for a digital signature. A cryptographic attestation would then be sent to Cloudflare, verifying the user’s humanity. The whole process supposedly only takes a few seconds and has a beta version on the Cloudflare website one can check. This version is currently limited to a few hardware security keys, namely YubiKeys, HyperFIDO and Thetis FIDO U2F keys. This verification uses public key cryptography, which is used to create digital signatures. The user generates a signing key – to sign messages – and a verification key – to signal that the sign and the message are genuine.

Returning to the cryptographic attestation of the personality, the material key of each user includes a signature key. Manufacturers always sign these keys with a digital certificate. So when it asks you to prove your humanity, Cloudflare asks for your signature and checks if your public key has been signed by the manufacturer’s public key (i.e. the certificate). Since manufacturers have multiple levels of certification, the user’s device provides a chain of certificates signed by its predecessor and signs its successor for verification.

(Source package: Cloudflare)
See also

For example, consider two people, Alice and Bob, who want to send love letters to each other. Alice has a laptop with a secure module that has the sk_a signing key. Alice then sends a letter to Bob, who is suspicious of the authenticity of the letter. To verify this, Bob asks Alice to provide his signature for the ‘musical-Laboratory-ground’ message, which he will cross-check with his verification key, pk_a. Alice then provides the signature sk_a (‘musical-Laboratory = ground’), which Bob confirms is associated with pk_a.

Cloudflare considers this system to be a secure system. The system allows attestation without collecting biometric data. Additionally, while Cloudflare may associate a unique identifier with a user’s key, the company has said it won’t. All he will know about the user is the manufacturer of his key. Cloudflare’s new solution seems like a great solution to boring CAPTCHAs. Nonetheless, it may be some time before we can be sure that it will replace CAPTCHAs. For one thing, Cloudflare’s latest experience is, for now, limited to hardware keys, regions, and languages.

Hardware security keys (Source: Cloudflare)

Cloudflare’s new system has also found criticism. According to Ackermann yuriy, CEO of consulting firm Webauthn Works, the attestation proves nothing other than the model of the device. The device could be provided for authentication by a non-human entity. In addition, it may be necessary to see if bots could be equipped with technologies such as a jury-rigged security system and take advantage of this system. Despite these concerns, Cloudflare’s crypto personality attestation appears to be an important step in finding a permanent solution to the CAPTCHA problem.

Join our Telegram group. Be part of an engaging online community. Join here.

Subscribe to our newsletter

Receive the latest updates and relevant offers by sharing your email.

Mita Chaturvedi

I am an economics student who enjoys drinking coffee and writing about technology and finance. I like to play the ukulele and watch old movies when I’m free.

About Geraldine Higgins

Check Also

Why Mehracki (MKI) Will Become a Leading Meme Coin Like Dogecoin (DOGE)

When the first coin, DOGE, was released in 2013, it didn’t seem to show strong …

Leave a Reply

Your email address will not be published.