Cloudflare Wants to Replace CAPTCHA with Hardware Security Keys

Cloudflare Wants to Use Hardware Security Keys for Replacing CAPTCHAs

CAPTCHAs are annoying and we all agree that it is one of the worst parts of the modern web. However, the feature is essential to avoid bots and potential spam on online services. To find a middle ground, Cloudflare is exploring the possibility of using hardware security keys as a way to prove that you are human.

Cloudflare Crypto Personality Certification

According to Cloudflare, a user spends at least 32 seconds to complete a CAPTCHA challenge. Assuming a user encounters a CAPTCHA once every 10 days, approximately 500 human years are lost each day. To avoid this, the company proposes what it calls “Cryptographic attestation of personality.”

In a recent blog post, Cloudflare has detailed how the technology works. According to the company, users can connect a hardware security key after clicking the “I am human” message on supported websites. Soon after, a crypto certification is submitted to Cloudflare and the user’s presence is verified.

When Cloudflare tested this flow, it only took five seconds and three clicks. Cloudflare says you don’t have to worry about privacy issues as attestation is not tied to user’s device. At this time, the feature is supported by select security key manufacturers that are part of the FIDO Alliance. Supported devices at initial release include YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys. If you have a compatible security key, you can test the function of this website.

“By offering a one-touch CAPTCHA alternative backed by YubiKey hardware and public key cryptography, Cloudflare’s personality cryptographic attestation experiment could help further reduce the cognitive load imposed on users when interacting with sites under stress. or attack “. said Christopher Harrell, Yubico’s chief technology officer.

Cloudflare Crypto Personality Certification works on devices that support web authentication API. The company says it works in all browsers on Windows, macOS, Ubuntu, and iOS 14.5. On the Android side, the feature works in Chrome with phones running Android 10 and later.

Leave a Comment