May 17, 2021 11:11:00

Cloudflare announces a complete break from 'CAPTCHA madness' and proposes a system that uses physical security keys

When using the service, you may be required to clear a test called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) in order to prove that you are a human being. Cloudflare has stated that it will 'completely eliminate CAPTCHA recognition of characters and images,' and has proposed a new system 'Cryptographic Attestation of Personhood' that uses physical security keys.

Humanity wastes about 500 years per day on CAPTCHAs. It's time to end this madness
https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/

Cloudflare wants to kill the CAPTCHA | ZDNet
https://www.zdnet.com/article/cloudflare-wants-to-kill-the-captcha/

CAPTCHAs were developed by search engine AltaVista in 1997 to reduce the addition of spam by bots. CAPTCHA is to prove that the user is a human being by displaying a random string of letters and numbers that are intentionally distorted so that image recognition is difficult and letting them input by human hands. There are many similar systems to CAPTCHAs, and reCAPTCHAs that let you select images of buses and fire hydrants were developed by Google and used in many web services.

According to Cloudflare data, it takes an average of 32 seconds for users to pass the CAPTCHA image discrimination test. Given that there are 4.6 billion Internet users worldwide and one clears one CAPTCHA every 10 days, a total of 500 years just 'to prove that humans are humans' Cloudflare claims that minutes of time are wasted.

Cloudflare cites the following four issues with CAPTCHAs.

◆ 1: Productivity
It takes away and frustrates the time users need to process the task at hand.

◆ 2: Accessibility
A certain level of physical and cognitive ability is required to pass the CAPTCHA test. For example, if you are visually impaired, it will be difficult to pass the CAPTCHA test.

◆ 3: Cultural knowledge
For example, many of the 'fire hydrants' selected in the test are from the United States, but it is difficult for people from other countries to understand what an American fire hydrant looks like. 'Taxi' are generally yellow in New York, but are often blackened in London, and the difficulty of testing CAPTCHAs varies greatly from region to region.

◆ 4: Interaction on mobile devices
Many devices that access the Internet are now smartphones that can be easily operated at hand. However, the CAPTCHA test is difficult to clear on the small screen of a smartphone, and it wastes communication bandwidth and battery.

Cloudflare points out that having CAPTCHAs spend time on users is also costly for businesses, and as a result, CAPTCHAs create conflicts between businesses and users.

Cloudflare, which advocates a complete departure from CAPTCHAs, has proposed a method called 'Cryptographic Attestation of Personhood' as an alternative to CAPTCHAs. Cryptographic Attestation of Personhood is

based on password-free WebAuthn and works on all browsers on Windows, macOS, Ubuntu, iOS 14.5 and above, and Chrome on Android 10 and above.

The Cryptographic Attestation of Personhood is open to the public on a trial basis and can be tested at the following site.

Attention Required! | Cloudflare
https://cloudflarechallenge.com/

Click 'I am human (beta)' on the site.

The security key setup will be launched, so connect the physical security key to your PC.

The proof that the user is human will then be sent to Cloudflare in an encrypted state. After that, if you touch the physical security key, you will be proved to be human. Cryptographic Attestation of Personhood authentication protects your privacy because it is not uniquely linked to your device.

'Our research shows that users prefer to touch physical security keys rather than click on photos,' Cloudflare said, and the Cryptographic Attestation of Personhood is compared to traditional CAPTCHAs. Security and ease of use are guaranteed.

However, there is also a direction in which the anxiety view of the system to prove that it is a human being with only a touch of physical security key, 'the Cryptographic Attestation of Personhood, than can not be ruled out that bot' and concern has been raised also voice to. In fact, there are already ways to automate the touch of physical security keys on Twitter, and Cloudflare acknowledges the potential for exploitation of these automation systems.

(Just grounding out the cap sensor on a security key is enough to trigger a 'touch'. No drinking birds required.) Pic.twitter.com/ezpj9wGJiE

— Adam Langley (@agl__) May 13, 2021

In addition, Cryptographic Attestation of Personhood is in the testing stage, and the supported physical security keys are limited to some such as YubiKey at the time of article creation, but we plan to support more security keys in the future. That is.

Finally, Cloudflare said, 'For us, the Cryptographic Attestation of Personhood always results in'helping build a better internet'. We say,'Users are wasting 500 years on the internet a day. 'No one has reviewed CAPTCHAs from the ground up for 20 years, and I thought it was ridiculous,' he said. 'The fire hydrants you see on the Internet have been abolished. You don't need them anymore.' I declared.