Cloudflare reveals plan to end CAPTCHA 'madness'

Cloudflare says the CAPTCHA system wastes nearly 500 human years every single day

Web security and network services provider Cloudflare has announced a new experiment to replace CAPTCHA challenges, so users aren't forced to identify traffic lights or bicycles while browsing the web.

Many websites use CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) tools to differentiate between humans and robots, preventing spam. CAPTCHA has a variety of forms, including image- and text-based puzzles, or the common 'I'm not a robot' ReCAPTCHA.

CAPTCHA has actually helped several sites to prevent bots from flooding their systems and overloading them to deny services to human users. Cloudflare acknowledges the fact that 'CAPTCHAs strengthen the security of online services' but argues 'there's a very real cost associated' with the system.

'Based on our data, it takes a user on average 32 seconds to complete a CAPTCHA challenge.

'There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days. This very simple back of the envelope math equates to somewhere in the order of 500 human years wasted every single day — just for us to prove our humanity.'

The company wants to replace CAPTCHA with a new technique dubbed 'Cryptographic Attestation of Personhood' (a bit of a stretch for the CAP acronym) for users to prove they are real people.

Traditionally, user authentication relies on one of three elements: something you know; something you own; or something you are (like biometrics). Traditional CAPTCHA challenges use the first of those, but Cloudflare's system moves to 'something you own': a bit like multifactor authentication.

As part of the new system, 'a real human should be able to touch or look at their device to prove they are human, without revealing their identity,' according to Cloudflare.

The firm says the CAP technology will use USB security keys like YubiKey, and will reduce user authentication to just five seconds and three clicks.

When a user visits a website protected by the technology, they will be served a challenge where they are asked to click a button and plug in their Yubikey or other reliable USB devices (or tap it to their phone with NFC). After that, a cryptographic attestation is sent to Cloudflare. If the authentication succeeds, the user will be admitted to the website. Cloudflare has built an example here.

According to Cloudflare, this technique to verify a human user will take only five seconds, much faster than the existing CAPTCHA technology - although it does rely on users always having access to a physical security key (and they'll probably waste more than 32 seconds looking for it).

The system will work on all browsers on Windows, Ubuntu, macOS, and iOS 14.5, though Android users will have to use Chrome.