CAPTCHAs are well-known and well-hated, and while I would do a lot of things to never have to identify a traffic signal again, Cloudflare’s new security key system doesn’t make the hassle any more bearable, or even as equally secure.
Encountering a CAPTCHA while perusing the internet often goes like this: Is that a palm tree or a regular tree? Is that a minuscule corner of a crosswalk or a white blob? Am I a robot or a human?
Instead of suffering through this pain, Cloudflare wants to eliminate CAPTCHAs with its new security system, called the “Cryptographic Attestation of Personhood.” The software currently uses physical USB security keys, like Yubikey, to register when you touch or look at the device.
This action, paired with plugging the USB into your computer while running the (currently beta) software, would securely verify your human status.
If you have such a USB key, you can test the software yourself at cloudflarechallenge.com. I took a gander without the key, and you still get the idea. The prominent “I am human” button is easy to find and click, which directs you to plug in your device and touch it.
On the surface, it definitely feels easier and faster than squinting at grainy images. But it also turns surfing the interwebs into a two-factor authentication nightmare. Instead of clicking on buses, I would have to scramble for my USB, plug it in, and touch it, which presents its own set of challenges. For one, adding another device to the mix is most definitely nightmare fuel for the absent-minded, like myself. For two, relying on USB devices becomes an annoyance for people who have computers without USB ports, like the latest MacBook Pros.
Cloudflare recognizes that USB security keys are not the most common gadgets, so it aims to integrate the software into smartphones in the future. And yes, while this would streamline the amount of devices needed to be a person on the internet, it’s more than the single device of my computer. Like the current 2FA systems, it would still require me to groan as I get up from my laptop and reach for my phone to verify my personhood.
While I appreciate the enhanced security and necessity of 2FA, I just kind of hate it. Current sites that require two-factor authentication through apps like OneLogin or Google One make me feel ultra-reliant on my smartphone. And they still induce a different yet insufferable type of panic while trying to log in.
But sure, let’s just say that I have an exceptional lazy bone, and this could actually be a great way to protect your identity and security while online. Alas, Cloudflare itself has admitted to its own security flaws.
The current version, using the USB keys, relies on touch sensors to tell human from robot via attestation. But as Ackermann Yuriy, CEO of consulting firm Webauthn Works, notes, “attestation does not prove anything but the device model.” The process of attestation basically verifies the manufacturer of your security key, which encodes a trusted secret that is sent to Cloudflare. But theoretically, once the device is purchased by a human, it can be operated by a robot.
On its own blog, Cloudflare says that a drinking bird (those cartoonish toys that repeatedly dip their beaks into water) could activate the touch sensor, thereby passing the authentication test. It defends this by saying this would be slower than other professional CAPTCHA solving bots, so at least they’re trying?
The biggest pro of Cloudflare’s system is increased accessibility for those with cognitive or visual disabilities. While identifying random objects is an annoyance for most, CAPTCHAs are basically unsolvable for these users, and a physical security object could be a welcome assist.
In an ideal world, perhaps Cloudflare’s attestation method could be an optional security measure in addition to CAPTCHA on most sites, rather than entirely replace it. Yes, failing a CAPTCHA that asks me to click on fire hydrants may make me question my humanity, but I guess I’m choosing to defend it and continue to click away. At least it’s a universal experience,