Cloudflare Wants To Kill The Dreaded Captcha For Good

“Humanity wastes about 500 years per day on CAPTCHAs.”


Imagine if you had to go through hurdles of identifying weird curly letters and selecting a bunch of pictures with sidewalks before reading this article? CAPTCHAs—short for Completely Automated Public Turing Test to tell Computers and Humans Apart—are annoying and can be ridiculously difficult to solve. Regardless of this, most people are just resigned to solving them before logging on to their social media platforms, entering their online banking details or even for booking a movie ticket. 

That is, until now. 


Sign up for your weekly dose of what's up in emerging technology.

According to the web performance and security company, Cloudflare, it takes around 32 seconds for one person to complete a CAPTCHA challenge. With 4.6 billion internet users globally and each user interacting with a CAPTCHA every ten days, the need to prove our humanity has become very time-consuming. So, it’s high time to end the CAPTCHA “madness”.

How Cloudflare wants to solve this

(Source: Cloudflare)

To replace the  existing system with a new way of telling machines and humans apart, Cloudflare’s system, ‘Cryptographic Attestation of Personhood’ would require the user to click the ‘I am a human’ button, followed by a prompt to select their security key, and plug or tap their Hardware Security Key for a digital signature. A cryptographic attestation would then be sent to Cloudflare, verifying the user’s humanity. The whole process allegedly takes only a few seconds and has a beta version on Cloudflare’s website one can check out. This version is currently limited to only a few hardware security keys, namely, YubiKeys, HyperFIDO keys and Thetis FIDO U2F keys. This verification makes use of public-key cryptography, which provides a way to create digital signatures. The user generates a signing key—to sign messages—and a verification key—to signal that the sign and the message are authentic. 

Returning to the Cryptographic Attestation of Personhood, each user’s hardware key embeds a signing key. Manufacturers always sign such keys with a digital certificate. Thus, when it asks you to prove your humanity, Cloudflare asks for your signature and verifies whether your public key has been signed by the manufacturer’s public key (i.e. the certificate). Since manufacturers have multiple levels of certification, the user’s device provides a chain of certificates that are signed by its predecessor and signs its successor for verification.

(Source: Cloudflare)

For example, Consider two people, Alice and Bob, who wish to send love letters to each other. Alice has a laptop with a secure module that has the signing key sk_a. Alice then sends a letter to Bob, who is suspicious of the letter’s authenticity. To verify it, Bob asks Alice to provide her signature for the message ‘musical-laboratory-ground’, which he will cross-check with her verification key, pk_a. Alice then provides the signature sk_a(‘musical-laboratory=ground’), which Bob confirms is associated with pk_a.

Cloudflare deems this system to be a secure one. The system allows attestation without collecting biometrics. Also, while Cloudflare could associate a unique ID to a user’s key, the company has stated that it will not do so. All it will know about the user is the manufacturer of their key.  Cloudflare’s new solution does seem like a great fix to annoying CAPTCHAs. Nonetheless, it might be a while before we can be sure it will replace CAPTCHAs. For one, Cloudflare’s newest experiment is, at the moment, limited to hardware keys, regions and languages.

Hardware security keys(Source: Cloudflare)

Cloudflare’s new system has found some critics too. According to Ackermann Yuriy, CEO of the consulting firm Webauthn Works, attestation proves nothing except the device’s model. The device could be provided for authentication by a non-human entity. Additionally, one may need to see whether bots could be equipped with technologies such as a jury-rigged security system and take advantage of this system. Despite these concerns, Cloudflare’s Cryptographic Attestation of Personhood appears to be a significant step in finding a permanent fix to the CAPTCHA problem. 

More Great AIM Stories

Mita Chaturvedi
I am an economics undergrad who loves drinking coffee and writing about technology and finance. I like to play the ukulele and watch old movies when I'm free.

Our Upcoming Events

Masterclass, Virtual
How to achieve real-time AI inference on your CPU
7th Jul

Masterclass, Virtual
How to power applications for the data-driven economy
20th Jul

Conference, in-person (Bangalore)
Cypher 2022
21-23rd Sep

Conference, Virtual
Deep Learning DevCon 2022
29th Oct

3 Ways to Join our Community

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Telegram Channel

Discover special offers, top stories, upcoming events, and more.

Subscribe to our newsletter

Get the latest updates from AIM

What can SEBI learn from casinos?

It is said that casino AI technology comes with superior risk management systems compared to traditional data analytics that regulators are currently using.

Will Tesla Make (it) in India?

Tesla has struggled with optimising their production because Musk has been intent on manufacturing all the car’s parts independent of other suppliers since 2017.

Now Reliance wants to conquer the AI space

Many believe that Reliance is aggressively scouting for AI and NLP companies in the digital space in a bid to create an Indian equivalent of FAANG – Facebook, Apple, Amazon, Netflix, and Google.