Select all the buses, click on the bikes, are there any traffic lights in this picture? Ridiculous as these questions are, you can almost guarantee you’ve seen one recently. They’re a way for online services to distinguish between humans and robots. They’re called CAPTCHAs, CAPTCHAs. Captcha enhances the security of online services. While they do this, they have a very real cost problem.
According to our data, it takes an average user 32 seconds to complete a captcha challenge. There are 4.6 billion Internet users worldwide. Let’s assume that a typical Internet user sees a captcha roughly every 10 days.
This very simple calculation is the equivalent of wasting 500 years of your life every day — just to prove that we are human.
Today, we’re launching an experiment to end this madness and get rid of captchas once and for all. The idea is fairly simple: a real person should be able to prove they are human by touching or looking at their device, without revealing their identity. We want you to be able to prove that you are human without revealing which human you are! Is it possible, you might ask? The answer is: yes. We started with trusted USB keys that have been around for a while (like YubiKey), a capability that more and more phones and computers come with by default.
Today marks the beginning of the end for fire hydrants, crosswalks and traffic lights on the Internet.
Why use captcha?
In many cases, businesses need a way to tell if an online user is human. Often, these reasons are related to security or abuse of online services. As early as the turn of the century, CAPTCHAs were created to do just that. The first one was developed in 1997, The term “Completely Automated Public Turing Test to tell Computers and Humans Apart” was coined by Luis von Ahn, Manuel Blum, Nicholas J. Hopper and John Langford in 2003.
By their very nature, the challenge-response nature of CAPTCHAs must be automated: so they can span the scale of both humans and the robots they need to capture.
Why remove captcha?
Simply put: We all hate them.
By far the best thing we can do is to minimize them. At Cloudflare, for example, we constantly improve our bot management solution to be as smart as possible about when to provide captcha to users. Over the years, however, as ARTIFICIAL intelligence improved, the web moved from simple captcha based on background text recognition to old OCR books to identifying objects from pictures (see Google’s paper on street numbers). This poses some real problems for human users of the Internet.
- The productive forces. Time is lost — like focus on the job at hand — and often in exchange for some frustration.
- Accessibility. Users are assumed to have the physical and cognitive abilities needed to solve the test, but this may not be the case. For example, a visual disability may prevent a person from completing the task of solving captchas.
- Cultural knowledge. Few people on earth have ever seen an American fire hydrant, and few people speak English.
- Interaction on mobile devices. Phones and mobile devices are the main — and often the only — means of Internet access in much of the world. Captcha puts a strain on their data plans and battery usage, plus it’s more difficult on small screens.
In fact, the World Wide Web Consortium (W3C) produced several drafts as early as 2003 that pointed out the unaccessibility of captchas.
And that’s just from the user side. Imposing all these costs on users also has very real costs for businesses. There’s a reason companies spend so much time optimizing the performance and layout of their websites and applications. This work prevents users from jumping out when you want them to sign up. It stops the cart from being abandoned when you want them at the checkout. In general, you want to prevent customers from getting frustrated and not coming back at all.
Captcha is really about companies putting friction in front of their users, and as anyone who has managed a high-performance online business will tell you, you don’t want to do it unless you have no choice.
We started addressing these issues when we moved from Google reCAPTCHA to hCAPTCHA. Today, we go one step further.
CAPTCHA without Pictures: Encrypted Proof of character
Hardware security keys are devices with embedded secrets that can be connected to your computer or your phone
From the user’s point of view, encrypted authentication works like this.
- Users visit a site protected by encrypted proof of personality, such as CloudFlareChallenge.com.
- Cloudflare provides a challenge.
- Users click on “I’m human” (beta) and are prompted to use security devices.
- The user decides to use the hardware security key.
- Users plug the device into their computer, or plug it into their phone for wireless signature (using NFC).
- Send proof of encryption to Cloudflare and allow users to enter after verifying their presence tests.
It takes five seconds to complete the process. More importantly, this challenge protects the user’s privacy, since the proof is not uniquely tied to the user’s device. All device manufacturers trusted by Cloudflare are members of the FIDO Alliance. Therefore, each hardware key shares its identifier with other keys produced in the same batch (see General Second Factor Overview, Section 8). From Cloudflare’s point of view, your key looks like all the other keys in that batch.
Completing an encrypted id requires up to three clicks. There is no loop, requiring the user to click on the bus 10 times in a row.
Although there are various hardware security keys, our initial rollout is limited to a few devices. We had the opportunity to use and test YubiKeys; HyperFIDO key; And Thetis FIDO U2F key.
“Promoting open authentication standards such as WebAuthn has long been Yubico’s core mission to provide robust security in an enjoyable user experience,” said Christopher Harrell, CHIEF technology officer of Yubico. By providing CAPTCHA alternatives with a single touch, supported by YubiKey hardware and public key encryption, Cloudflare’s crypto proof of personality experiment can help further reduce the cognitive load on users when interacting with stressed or compromised websites. I hope this experiment enables people to accomplish their goals with minimal friction and strong privacy, and that the results will show that it is worthwhile for other sites to consider using hardware security, not just authentication.”
How does it work?
Encrypted personality proof relies on Web authentication (WebAuthn) proof. This is an API that has been standardized by the W3C and is implemented in most modern web browsers and operating systems. It aims to provide a standard interface for authenticating users on the network and using the cryptographic capabilities of their devices.
As the demand for greater security and better availability increases, we expect deployment instances of WebAuthn to increase.
| platform | Compatible browser |
|---|---|
| IOS 14.5 | All browsers |
| Android 10 and later | Chrome |
| Windows | All browsers |
| macOS | All browsers |
| Ubuntu | All browsers |
Assuming you’re using compatible hardware, you might be wondering what’s going on behind the scenes.
Introduction of lift
In short, your device has a built-in security module that contains a unique secret sealed by your manufacturer. The security module can prove that it has such a secret without giving it away. Cloudflare requires you to provide proof and check that your manufacturer is legitimate.
Technical explanation
The longer version is that this authentication involves public key cryptography and digital certificates.
Public key cryptography provides a way to generate an unforgeable digital signature. A user generates a signing key that can sign a message and an authentication key that can be used by anyone to verify the authenticity of the message. This is similar to a signature ring, in which the seal of the ring is the signature and the ring itself is the signature key.
Signature schemes are widely used to prove authenticity. Your browser has now verified that the server claiming to be “blog.cloudflare.com “is legitimate by verifying a signature made by a person who has a signature key associated with “blog.cloudflare.com”. To prove that the captcha is legitimate, the server provides a certificate that associates the captcha with “blog.cloudflare.com “, and the certificate itself is signed by another captcha from another certificate. This chain extends all the way to the root certificate of the _ certification authority _ built into your browser.
Let’s take another example. Alice has a laptop with an embedded security module. This module holds a signature key, SK_A. Alice said she sent Bob a love letter yesterday. Bob, however, was skeptical. Even though the letter said “Hi, Bob, it’s Alice”, Bob wanted to make sure it was from Alice. To do this, Bob asks Alice to provide her signature to the following message “music-laboratory-ground”. Since Bob chose this message, If Alice could provide a signature associated with her authentication key (PK/A), Bob would believe that the love letter was from Alice. Alice does provide a signature, SK_A (” Music-laboratory-ground “). Bob confirms sk/ A (” Music-laboratory-Ground “) is related to PK/A. He could now safely engage in their cryptographer relationship.
Think back to proof of personality in cryptography, where you now know that your hardware key is embedded with a signature key. However, Cloudflare does not and cannot know the signing keys of all users on the Internet. To mitigate this problem, Cloudflare requires a different kind of proof. When asked if you are human, we ask you to prove that you control a public key signed by a trusted manufacturer. When shipping equipment with security modules, the manufacturer signs the relevant certification public key and digital certificate.
Digital certificates typically contain a public key, information about the organization to which they are supplied, their expiration date, permitted usage, and a signature from a certificate authority to ensure the certificate’s legitimacy. They allow metadata to be associated with a public key, thus providing information about the issuer of the signature.
So when Cloudflare asks you for a signature, it verifies that your public key has been signed by the manufacturer’s public key. Since manufacturers have multiple levels of certificates, your device provides a chain of certificates that Cloudflare can verify. Each link in the chain is signed by its predecessor, and its subsequent links are signed. Cloudflare trusts the manufacturer’s root certificate. Because there are only so many of them, we have the ability to verify them manually.
Privacy is the first
Designing a challenge that requires users to prove that they control a manufacturer’s key creates privacy and security challenges.
The privacy attributes of encrypted personality proof are summarized in the following table.
| attribute | Cloudflare Could | Cloudflare Does |
|---|---|---|
| Get your fingerprints or face | NO | N/A |
| Know the manufacturer of your key | YES – limited to the number of keys in your batch* | YES |
| Associate a unique ID to your key | YES** | NO |
* There must be 100,000 or more keys per lot (FIDO UAF Protocol Specification #4.1.2.1). However, self-signed keys and some manufacturers’ keys have been found to fail to meet this requirement.
** This will require us to set a separate and different cookie to track your keys. This runs counter to privacy on the Internet and the objectives of this project. You can learn more about how we delete like [blog.cloudflare.com/deprecating…)] Cookies like this.
Do not collect proof of biometrics
The purpose of this project: We want to know if you are human. But we’re not interested in what kind of person you are.
Happily, the WebAuthn API solves this problem for us to a large extent. Not that we want to do this, but the WebAuthn API prevents collection of biometrics such as fingerprints. When your device asks for biometric verification — via a fingerprint sensor, for example — it all happens locally. Authentication is the security module for knowing to lock your device, which provides a signature associated with your platform.
For our challenge, we took advantage of the WebAuthn registration process. It’s designed for multiple authentication, and we have no use for that. Therefore, we do assign the same constant value to the desired username field. It protects users from being anonymized.
There is no hidden work
A common use of CAPTCHA is to tag data sets that are difficult for AI to read. This could be for books, street numbers or fire hydrants. While this is useful for science, it has also been used as a way for companies to exploit human recognition for commercial gain without users’ knowledge.
With encrypted proof of personality, that doesn’t happen. We can design user processes more flexibly because we are no longer constrained by the CAPTCHA challenge model.
What is Cloudflare doing to further push privacy
While crypto personality turns out to have a big advantage in terms of privacy, it’s not perfect. Cloudflare still needs to know your manufacturer to let you in. Since WebAuthn works with any certificate, we need to ensure that Cloudflare receives a certificate from a hardware key that has not been tampered with. We would prefer not to have this information to further protect your privacy.
We have worked on Privacy standards in the past, for example, with efforts led by Privacy Pass. Privacy Pass allows you to solve a challenge once and provides proof that you passed the challenge, meaning you don’t have to solve multiple captcha. It greatly improves the user experience for VPN users, as they face more challenges than other Internet users.
For personality proof in cryptography, we explore an emerging field of cryptography called zero-knowledge proof (ZK proof). It allows our users to prove that their manufacturer is part of a group of manufacturers that Cloudflare trusts. Using ZK proves that devices from one manufacturer become indistinguishable from each other and from other manufacturers. The new system requires more technical details and deserves a blog post. Stay tuned.
An endless quest
Designing a challenge to protect millions of Internet properties is no easy task. In our current setup, we believe encrypted proof of identity provides strong security and availability guarantees over traditional captcha challenges. In preliminary user studies, users expressed a strong preference for touching their hardware keys rather than clicking on pictures. Still, we knew it was a new system with room for improvement.
The experiment will be available on a limited basis in English-speaking areas. This allowed us to have diversity in our user base and test the process in different places. However, we recognize that this is insufficient coverage and we intend to test it further. If you have specific requirements, please feel free to contact us.
Another issue we pay close attention to is security. The security of this challenge depends on the underlying hardware provided by trusted manufacturers. We are confident that they are safe. If any vulnerabilities occur, we will be able to quickly revoke the manufacturer’s public key authorization at different levels of granularity.
We also have to consider the possibility of facing an auto-push button system. A drinking bird capable of pressing a capacitive touch sensor could pass cryptographic proof of personality. In the best case, the bird’s resolution rate matches the time it takes the hardware to generate the proof. With our current set of trusted manufacturers, this will be slower than the resolution rate of professional CAPtcha resolution services, while allowing legitimate users to pass with confidence. In addition, existing Cloudflare mitigation measures will remain intact, effectively protecting Internet property.
The last word
For Cloudflare, it always comes back to helping build a better Internet. The idea that we are wasting 500 years of our lives on the Internet every day – no one has revisited the basic assumptions of captchas since the turn of the century – seems preposterous to us.
We are very proud of the work we have done here, because we have published cryptographic proof of personality. This challenge is set up in a user-first way, while maintaining a high level of security for accessing the Internet property that sits behind Cloudflare’s global network. We are now augmenting our existing human challenges with cryptographic proof of personality. Over time, you should expect to see it more often. You can try it today at Cloudflarechallenge.com.
Finally: We’re happy to bring about the death of fire hydrants on the Internet. It’s no longer needed.
Feedback and common errors
Since this is currently an experimental project of Cloudflare’s research team, only USB or NFC security keys are available today. We are pleased with the feedback and will look into adding additional authenticators as soon as possible. If you are using an unsupported device, then you may get a slightly unintelligible error message from your browser. On Google Chrome, you’ll see.
The original link: blog.cloudflare.com/introducing…