Cloudflare Wants to Replace CAPTCHA with Hardware Security Keys

Cloudflare Wants to Use Hardware Security Keys for Replacing CAPTCHAs

CAPTCHAs are annoying and we all agree that it is one of the worst parts of the modern web. However, the feature is essential to avoid bots and potential spam on online services. To find a middle ground, Cloudflare is exploring the possibility of using hardware security keys as a method to prove you’re a human.

Cloudflare Cryptographic Attestation of Personhood

As per Cloudflare, a user spends at least 32 seconds to complete a CAPTCHA challenge. Assuming that a user comes across a CAPTCHA once every 10 days, that’s roughly 500 human years wasted every single day. To avoid this, the company is proposing what it calls ‘Cryptographic Attestation of Personhood’.

In a recent blog post, Cloudflare has detailed how the technology works. According to the company, users can plug in a hardware security key after clicking on the ‘I am a human’ prompt on supported websites. Soon after, a cryptographic attestation is sent to Cloudflare and the user presence is verified.

When Cloudflare tested this flow, it took just five seconds and three clicks. Cloudflare says you don’t have to worry about privacy concerns since the attestation is not linked to the user’s device. At this moment, the feature supports select security key makers that are part of the FIDO Alliance. Supported devices in the initial rollout include YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys. If you have a compatible security key, you can test the feature from this website.

“By offering a CAPTCHA alternative via a single touch backed by YubiKey hardware and public key cryptography, Cloudflare’s Cryptographic Attestation of Personhood experiment could help further reduce the cognitive load placed on users as they interact with sites under strain or attack,” said Christopher Harrell, Chief Technology Officer at Yubico.

Cloudflare’s cryptographic attestation of personhood works on devices that support Web Authentication API. The company says it works on all browsers on Windows, macOS, Ubuntu, and iOS 14.5. On the Android side of things, the feature works on Chrome with phones running Android 10 and later.

1 Comment

  1. This would be amazing… it seems like the reCaptcha method is as old as the internet… we’re long overdue for a change!

Leave a Reply