Cloudflare’s new authentication system aims to eliminate CAPTCHA from Internet

CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is a common way for websites to validate logins at the moment. It usually appears in the form of words that you have to write down, or pictures you have to click on, to prove that you are a real human and not a bot/computer.

With Cloudflare’s new system, users will be able to authenticate logins to websites by using physical USB keys, though the company is yet to add support for most hardware right now. “The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer. The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate,” the company said in a blog post explaining how the system works.

“Cryptographic Attestation of Personhood relies on Web Authentication (WebAuthn) Attestation. This is an API (application programming interface) that has been standardized at the W3C (world wide web consortium) and is already implemented in most modern web browsers and operating systems. It aims to provide a standard interface to authenticate users on the web and use the cryptography capability of their devices,” said the blog post. It said the system will work with all browsers on iOS 14.5, Windows, macOS and uBuntu, and Chrome for Android 10 or later.

The company has set up an example website—cloudflarechallenge.com—where you can try the system out. Users will just have to click on a button asking them to prove they’re human, which leads the browser to prompt for a USB key or even the device’s own authentication system (fingerprint or face ID). Cloudflare says it has tested the service with YubiKeys, HyperFIDO keys and Thetis FIDO U2F keys right now, and that the system will take five seconds to beat, with at most three clicks at a time.