Cloudflare wants to get rid of CAPTCHAs completely

    Cloudflare wants to get rid of CAPTCHAs completely

    Cloudflare wants to get rid of CAPTCHAs completely




    Select all the buses. Click on bikes. Does this photo have traffic lights? As ridiculous as these questions are, you’re almost guaranteed to have seen one recently. They are a way for online services to separate humans from bots, and they’re called CAPTCHAs. CAPTCHAs strengthen the security of online services. But while they do that, there’s a very real cost associated with them.

    Based on our data, it takes a user on average 32 seconds to complete a CAPTCHA challenge. There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days.
    This very simple back of the envelope math equates to somewhere in the order of 500 human years wasted every single day — just for us to prove our humanity.

    Today, we are launching an experiment to end this madness. We want to get rid of CAPTCHAs completely. The idea is rather simple: a real human should be able to touch or look at their device to prove they are human, without revealing their identity. We want you to be able to prove that you are human without revealing which human you are! You may ask if this is even possible? And the answer is: Yes! We’re starting with trusted USB keys (like YubiKey) that have been around for a while, but increasingly phones and computers come equipped with this ability by default.

    Today marks the beginning of the end for fire hydrants, crosswalks, and traffic lights on the Internet.

    Why CAPTCHAs?

    In many instances, businesses need a way to tell whether an online user is human or not. Typically those reasons relate to security, or abuse of an online service. Back at the turn of the century, CAPTCHAs were created to do just that. The first one was developed back in 1997, and the term ("Completely Automated Public Turing test to tell Computers and Humans Apart") was coined in 2003 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford.

    By their very nature, the challenge-response nature of CAPTCHAs have to be automated: so they can scale across both humans and the bots they need to catch.

    Why get rid of CAPTCHAs?

    Put simply: we all hate them.

    The best we’ve been able to do to date has been to minimize them. For example, at Cloudflare, we’ve continuously improved our Bot management solution to get as smart as possible about when to serve a CAPTCHA to the user. However, over the years the web moved from simple CAPTCHAs based on text recognition against backgrounds to OCRing old books to identifying objects from pictures as AI has improved (see Google paper on Street Numbers). This creates some real problems for the human users of the Internet:

    1. Productivity: Time is lost — as is focus on the task at hand — and often in exchange for some frustration.
    2. Accessibility: Users are assumed to have the physical and cognitive capabilities required to solve the tests, which may not be the case. A visual disability, for example, may make it impossible to perform a CAPTCHA-solving task.
    3. Cultural Knowledge: The people on the planet who have seen a US fire hydrant are in the minority, as are the number who speak English. Cabs are yellow in New York City, and black in London — heck, ‘cabs’ are only cabs in a few places, and ‘taxis’ everywhere else!
    4. Interactions on Mobile Devices: Phones and mobile devices are the primary — and most often only — means of Internet access for a large part of the world. CAPTCHAs put a strain on their data plans and battery usage, in addition to being more difficult on small screens.

    In fact, the World Wide Web Consortium (W3C) worked on multiple drafts — as early as 2003 — pointing out the inaccessibility of CAPTCHAs.

    And this is just from the user side. Inflicting all these costs on users has very real costs for businesses, too. There’s a reason why businesses spend so much time optimizing the performance and layout of their websites and applications. That work stops users from bouncing when you want them to register. It stops shopping carts getting abandoned when you want them to end in the checkout. In general, you want to stop customers from getting frustrated and simply not come back.

    CAPTCHAs are effectively businesses putting friction in front of their users, and as anyone who has managed a high performing online business will tell you, it’s not something you want to do unless you have no choice.
    We started tackling these issues when we moved from Google reCAPTCHA to hCAPTCHA. Today, we are going further.

    CAPTCHA without Picture: Cryptographic Attestation of Personhood


    Hardware security keys are devices with an embedded secret that can connect to your computer or your phone

    From a user perspective, a Cryptographic Attestation of Personhood works as follows:

    1. The user accesses a website protected by Cryptographic Attestation of Personhood, such as cloudflarechallenge.com.
    2. Cloudflare serves a challenge.
    3. The user clicks I am human (beta) and gets prompted for a security device.
    4. User decides to use a Hardware Security Key.
    5. The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC).
    6. A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test.

    Completing this flow takes five seconds. More importantly, this challenge protects users' privacy since the attestation is not uniquely linked to the user device. All device manufacturers trusted by Cloudflare are part of the FIDO Alliance. As such, each hardware key shares its identifier with other keys manufactured in the same batch (see Universal 2nd Factor Overview, Section 8). From Cloudflare’s perspective, your key looks like all other keys in the batch.

    There are at most three clicks required to complete a Cryptographic Attestation of Personhood. There is no looping, where a user is asked to click on buses 10 times in a row.

    While there is a variety of hardware security keys, our initial rollout is limited to a few devices: YubiKeys, which we had the chance to use and test; HyperFIDO keys; and Thetis FIDO U2F keys.

    “Driving open authentication standards like WebAuthn has long been at the heart of Yubico’s mission to deliver powerful security with a delightful user experience,” said Christopher Harrell, Chief Technology Officer at Yubico. “By offering a CAPTCHA alternative via a single touch backed by YubiKey hardware and public key cryptography, Cloudflare’s Cryptographic Attestation of Personhood experiment could help further reduce the cognitive load placed on users as they interact with sites under strain or attack. I hope this experiment will enable people to accomplish their goals with minimal friction and strong privacy, and that the results will show it is worthwhile for other sites to consider using hardware security for more than just authentication.”



    Read more: https://blog.cloudflare.com/introduc...of-personhood/


    Brink's Avatar Posted By:

  1. desbest's Avatar
    Posts : 109
    Windows 10
       #1

    This looks like a B2B business to business feature. Most people are not tech savvy so most people would not use a hardware key just to visit a website or submit a form.
      My Computer

  2. z3r010's Avatar
    Posts : 10,090
    Windows 10 Workstation x64
       #2

    desbest said:
    This looks like a B2B business to business feature. Most people are not tech savvy so most people would not use a hardware key just to visit a website or submit a form.
    Every PC in our house has a Yubikey for 2FA wherever available
      My Computers

  3. desbest's Avatar
    Posts : 109
    Windows 10
       #3

    What’s the point of buying a yubikey if there are authentication apps you can use for your phone like Google Authenticator, Microsoft Authenticator and Authy?

    Not only do they accept two factor authentication, they ALSO accept biometrics and multi factor authentication.
      My Computer

  4. jimbo45's Avatar
    Posts : 10,712
    Windows / Linux : Arch Linux
       #4

    Hi there
    Captchas are hideous - sometimes even when you click all the correct panels etc the thing just goes on and on.
    OK I understand that security, Denial of Service and Spam attack preventions are needed on lots of sites but it should surely be possible in C21 to have robust security systems that aren't too complex to use for B2B, B2C and simple home users.

    Biometrics aren't necessarily the way forward as anybody who has seen some gory Hollywood Horror Flics can attest. I'm not a security Guru --there are people who are paid oodles and oodles of dosh for this so surely they could come up with some sensible ideas.

    BTW I saw on TV recently that the Health system in the Irish Republic has been attacked by Ransomware -- I believe a similar attack was made on the UK's system a few years ago too -- so obviously security isn't a trivial issue. Imagine if things like Nuclear power station safety infrastructure or mass transportation systems were compromised too.

    Small hardware keys can get easily lost and sometimes it takes forever to get a new one !!!! - Meanwhile you can't logon to your business workplace easily and have to go through a long winded temporary logon activity every day until a new key is issued. (Been there and done that !!! so I know via the hard way !!!).

    Cheers
    jimbo
      My Computer

  5. Wynona's Avatar
    Posts : 28,357
    Windows 10 21H1 Build 19043.1023
       #5

    These keys are way overpriced for the average person. Take the senior citizen on social security. Most of them are barely above the poverty line, and won't be able to afford one.
      My Computer


  6. Posts : 334
    Windows 10 20H2 (19042.685)
       #6

    jimbo45 said:
    BTW I saw on TV recently that the Health system in the Irish Republic has been attacked by Ransomware -- I believe a similar attack was made on the UK's system a few years ago too -- so obviously security isn't a trivial issue. Imagine if things like Nuclear power station safety infrastructure or mass transportation systems were compromised too.
    This is the problem beyond cryptography. I personally think there is absolutely no need for sensitive infrastructure (power stations, pipelines, railways, etc.) to be connected to a computer network, let alone a public network. My computer is absolutely secure when I am not using it - because I turn it off once I'm done. If you want some data to be secure - store is on a standalone machine or on a removed drive.

    Captchas are something else altogether. Google requires me to complete reCaptcha any time I want to change the Google search setting to deliver 100 search results instead of the default 10. I got so fed up with it, that I now have a separate browser profile for using Google where Google cookies are allowed to stay (normally, I erase all cookies once I close a browser). I do not use this profile for anything else, so much good these cookies are doing them. And on the phone, I don't even use Google search anymore. Any other website that requires more Captcha than simply click a box or type a few symbols I just abandon - none of them are crucial to me and none of them are worth wasting time counting hydrants.
      My Computer

  7. jimbo45's Avatar
    Posts : 10,712
    Windows / Linux : Arch Linux
       #7

    unifex said:
    This is the problem beyond cryptography. I personally think there is absolutely no need for sensitive infrastructure (power stations, pipelines, railways, etc.) to be connected to a computer network, let alone a public network. My computer is absolutely secure when I am not using it - because I turn it off once I'm done. If you want some data to be secure - store is on a standalone machine or on a removed drive.

    Captchas are something else altogether. Google requires me to complete reCaptcha any time I want to change the Google search setting to deliver 100 search results instead of the default 10. I got so fed up with it, that I now have a separate browser profile for using Google where Google cookies are allowed to stay (normally, I erase all cookies once I close a browser). I do not use this profile for anything else, so much good these cookies are doing them. And on the phone, I don't even use Google search anymore. Any other website that requires more Captcha than simply click a box or type a few symbols I just abandon - none of them are crucial to me and none of them are worth wasting time counting hydrants.
    Hi there

    @unifex

    I think you might (or probably) don't understand how modern infrastructure works.

    Probably a bit like "Extinction Rebellion" Climate change people who say ZERO carbon emission - while not saying how we would have do do without steel - made from Iron Ore amd Carbon (yes COAL needed) and manganese to build things like electric cars, have any mining for necessary materials to produce batteries etc or build any sort of machinery at all etc. Just look around your home and see how many things use steel !!!

    Hope you would all go to a hospital where you would only be allowed to use "Wooden" surgical implements !!!! (Iceland is very eco sensitive) but there's a difference between ZERO Carbon and some production!!!! and of course we should use things without pollution and sensibly.

    For example a High Speed train (probably not many of those in the USA these days although standard in Europe and Asia - and even in a part of the UK --Eurostar from London to Paris / Brussels and Amsterdam via Channel Tunnel) !!) running at 300 - 450 Km/Hr approx in "Old Currency" - 180 - 270 MPH)-- the driver has ZERO chance of manually reacting to emergency red signals etc.

    What about Air Traffic Countrol with literally hundreds of planes all trying to land and take off in a restricted airport space.

    Most supply chains rely on automated ordering procedures - and even your old fashioned Bank would take 2 weeks or so to transfer money into accounts -- would you like to wait 2 weeks after payday before you could get your money !!!!

    Zillions of other areas where things can't be done manually in any sensible fashion.

    Cheers
    jimbo
      My Computer


  8. Posts : 334
    Windows 10 20H2 (19042.685)
       #8

    Hi @jimbo45,

    I think you misread my post. I am aware that automation has become indispensable. However, automation and internet are not one and the same. Would you want a random hacker to be able to access that high-speed train? If the train is connected to the internet, eventually they will. Same goes for air traffic, power grids, and so on. Have you heard of the recent pipeline hacking and the problems it caused? I actually heard that the pipeline itself was not damaged but rather shut down as a precaution, but the gas shortage was nonetheless real. Supposedly this is the work of "criminal hackers living in Russia". Do you believe that any cybersecurity measures can actually prevent such attacks? I don't. Disconnecting the pipeline from the internet can.

    Now as far as banks are concerned - here in Germany they appear to be "old fashioned" by your standards: by law a bank has three days to complete a money transfer and although sometimes it does take less, nobody is counting on it (that is, if you are late with your payment because the bank took longer than you thought, that's your fault).
      My Computer

  9. jimbo45's Avatar
    Posts : 10,712
    Windows / Linux : Arch Linux
       #9

    unifex said:
    Hi @jimbo45,

    I think you misread my post. I am aware that automation has become indispensable. However, automation and internet are not one and the same. Would you want a random hacker to be able to access that high-speed train? If the train is connected to the internet, eventually they will. Same goes for air traffic, power grids, and so on. Have you heard of the recent pipeline hacking and the problems it caused? I actually heard that the pipeline itself was not damaged but rather shut down as a precaution, but the gas shortage was nonetheless real. Supposedly this is the work of "criminal hackers living in Russia". Do you believe that any cybersecurity measures can actually prevent such attacks? I don't. Disconnecting the pipeline from the internet can.

    Now as far as banks are concerned - here in Germany they appear to be "old fashioned" by your standards: by law a bank has three days to complete a money transfer and although sometimes it does take less, nobody is counting on it (that is, if you are late with your payment because the bank took longer than you thought, that's your fault).
    Hi there
    I think I also should have been more explicit -- OK "The Public Internet" might be too global but certainly all this infrastructure needs to be on computer networks - even if they are on private ones and if it's on any sort of a computer network these things can be hacked !!! whether external, global or internal. International air travel for example needs interconnection of various systems for Air traffic control, while can you imagine managing Amazon's supply and logistics chains without mega large and fast networks.

    Cheers
    jimbo
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:59.
Find Us




Windows 10 Forums