“Humanity wastes about 500 years per day on CAPTCHAs.”
Cloudflare
Imagine if you had to go through hurdles of identifying weird curly letters and selecting a bunch of pictures with sidewalks before reading this article? CAPTCHAs—short for Completely Automated Public Turing Test to tell Computers and Humans Apart—are annoying and can be ridiculously difficult to solve. Regardless of this, most people are just resigned to solving them before logging on to their social media platforms, entering their online banking details or even for booking a movie ticket.
That is, until now.
According to the web performance and security company, Cloudflare, it takes around 32 seconds for one person to complete a CAPTCHA challenge. With 4.6 billion internet users globally and each user interacting with a CAPTCHA every ten days, the need to prove our humanity has become very time-consuming. So, it’s high time to end the CAPTCHA “madness”.
How Cloudflare wants to solve this
To replace the existing system with a new way of telling machines and humans apart, Cloudflare’s system, ‘Cryptographic Attestation of Personhood’ would require the user to click the ‘I am a human’ button, followed by a prompt to select their security key, and plug or tap their Hardware Security Key for a digital signature. A cryptographic attestation would then be sent to Cloudflare, verifying the user’s humanity. The whole process allegedly takes only a few seconds and has a beta version on Cloudflare’s website one can check out. This version is currently limited to only a few hardware security keys, namely, YubiKeys, HyperFIDO keys and Thetis FIDO U2F keys. This verification makes use of public-key cryptography, which provides a way to create digital signatures. The user generates a signing key—to sign messages—and a verification key—to signal that the sign and the message are authentic.
Returning to the Cryptographic Attestation of Personhood, each user’s hardware key embeds a signing key. Manufacturers always sign such keys with a digital certificate. Thus, when it asks you to prove your humanity, Cloudflare asks for your signature and verifies whether your public key has been signed by the manufacturer’s public key (i.e. the certificate). Since manufacturers have multiple levels of certification, the user’s device provides a chain of certificates that are signed by its predecessor and signs its successor for verification.
For example, Consider two people, Alice and Bob, who wish to send love letters to each other. Alice has a laptop with a secure module that has the signing key sk_a. Alice then sends a letter to Bob, who is suspicious of the letter’s authenticity. To verify it, Bob asks Alice to provide her signature for the message ‘musical-laboratory-ground’, which he will cross-check with her verification key, pk_a. Alice then provides the signature sk_a(‘musical-laboratory=ground’), which Bob confirms is associated with pk_a.
Cloudflare deems this system to be a secure one. The system allows attestation without collecting biometrics. Also, while Cloudflare could associate a unique ID to a user’s key, the company has stated that it will not do so. All it will know about the user is the manufacturer of their key. Cloudflare’s new solution does seem like a great fix to annoying CAPTCHAs. Nonetheless, it might be a while before we can be sure it will replace CAPTCHAs. For one, Cloudflare’s newest experiment is, at the moment, limited to hardware keys, regions and languages.
Cloudflare’s new system has found some critics too. According to Ackermann Yuriy, CEO of the consulting firm Webauthn Works, attestation proves nothing except the device’s model. The device could be provided for authentication by a non-human entity. Additionally, one may need to see whether bots could be equipped with technologies such as a jury-rigged security system and take advantage of this system. Despite these concerns, Cloudflare’s Cryptographic Attestation of Personhood appears to be a significant step in finding a permanent fix to the CAPTCHA problem.
