It takes an average of 32 seconds for a user to validate a captcha. An authentication process that Cloudflare could soon silence by replacing it with a digital certificate backed by security keys referenced by the FIDO alliance.
“Humanity wastes around 500 years a day on captchas. It’s time to put an end to this madness, ”said Thibault Meunier, engineer at Cloudflare, in a post on the company’s blog. “Today marks the beginning of the end of fire hydrants, crosswalks and traffic lights on the Internet.” The idea is quite simple: everyone should be able to prove that they are human without having to reveal their identity. For this, the CDN, load balancing and network security provider wishes to offer security USB keys backed by a cryptographic certificate to replace the existing captchas.
More universal and faster than captcha
Cloudflare’s goal is to get rid of captchas altogether by proving that the user is indeed a human by linking a hardware security key to a “cryptographic personality attestation”. The company offers to test this secure digital certificate directly on its website, based on the WebAuthN API standardized by the W3C. The operation, beyond its speed, could also respond to certain constraints raised by the use of captcha, especially for people with visual disabilities who are not always able to complete them in their current form.
In practice, the process could take place as follows: access to a website protected by cryptographic personality attestation, use by the user of a hardware security key (plugged into a USB port or recognized via NFC) and validation of the cryptographic certificate after verification of the user’s presence test. To date, Cloudflare’s latest service would run on multiple operating environments and web browsers as well as iOS 14.5, Android 10 and above (only Chrome), Windows, macOS and Ubuntu.
The test phase launched
Only 3 clicks are enough to validate the cryptographic personality attestation according to Cloudflare against ten with traditional captchas. The supplier indicates that its service is however limited for the moment to the English-speaking regions. In its current state, the solution only works with a handful of physical tokens but all members of the FIDO alliance: YubiKeys, HyperFIDO and Thetis FIDO U2F. Faced with possible fears of non-respect of privacy, Cloudflare indicates that it remains very attentive on this issue. The company specifies that it does not store any personal characteristics such as fingerprints and does not associate the unique user identifier with a physical security key.