Cloudflare proposes to save users from regularly clicking the “I’m not a robot” checkbox and choosing pedestrian crossings or traffic lights in a traditional CAPTCHA test. As an alternative, the company has developed Turnstile technology, which checks the browser, not the user.
Turnstile uses Cloudflare’s Managed Challenge, which takes into account user behavior, browser data, and private access tokens on Apple devices to distinguish human visitors from bots and scripts.
The company claims that its system was able to reduce 91 percent of the CAPTCHAs sent to its customers’ visitors in a year. And the process itself has decreased from 32 seconds (on average, required for CAPTCHA verification) to 1 second.
Today, we’re announcing the open beta of Turnstile, an invisible privacy-preserving alternative to CAPTCHA. Anyone, anywhere on the Internet, who wants to replace CAPTCHA on their site, will be able to call a simple API to do just that. https://t.co/UkUay00nkj #BirthdayWeek ?
— Cloudflare (@Cloudflare) September 28, 2022
Turnstile uses a set of JavaScript-based calls that read the web browser environment and look for signals that indicate a real person is logging into the site, looping through tests — proof of work, proof of location, web API lookup, and more. Also, using machine learning, previously successful tasks are compared with new ones, which speeds up the process of passing the test. The user only sees the “Confirmation…” widget for a moment, which then changes to “Success!”.
Cloudflare reminds that, in addition to being “annoying and a waste of time”, CAPTCHA (which stands for Completely Automated Public Turing test to tell Computers and Humans Apart) now has significant control from Google, which bought it in 2009 and now offers users in the form of an updated reCAPTCHA service.
“Google says it doesn’t use this information to target ads, but at the end of the day, Google is an ad selling company,” Cloudflare said in a statement.
Google reCAPTCHA offered “invisible” mode in the second version of 2017 and in the third, claiming that “they will never interfere with users.” However, most people still often see “grids” for selecting photos and anti-robot checkboxes – probably due to sites and developers that have not updated to newer versions, or potentially seem “suspicious”.
This is not Cloudflare’s first CAPTCHA hit. Last year, the company promised to “completely get rid” of the test and created a hardware authenticator using physical USB keys such as YubiKey or FIDO key . Although they work well, having to always have the keys with you is not very convenient.
According to Akkerman Yuri, CEO of consulting company WebAuthn Works, the method that Cloudflare tested does not confirm whether a person is actually controlling the device. However, in partnership with Apple, Cloudflare was able to use private access tokens as another method to prove it.
Turnstile is not hardware dependent like Cloudflare’s previous attempt. It is currently available in beta for free. The setup process is detailed on the Cloudflare website and involves replacing your current JavaScript CAPTCHA with the one that calls the Turnstile API.
Source: Arstechnica , The Verge