Based on Cloudflare's data it takes the average person 32 seconds to complete a CAPTCHA challenge such as 'click on all the pictures with bicycles'. With 4.6 billion internet users worldwide and the typical person seeing a CAPTCHA once every 10 days this equates to an incredible headline on the Cloudflare blog asserting "Humanity wastes about 500 years per day on CAPTCHAs". For reference, CAPTCHA is an abbreviation of 'Completely Automated Public Turing test to tell Computers and Humans Apart'.
Unfortunately - due to the bad faith actors of the connected world - spammers, hackers and so on, CAPTCHAs are deemed necessary by some entities / organisations to save their online resources from misuse. One very contemporary reason I have been seeing more CAPTCHAs than ever is due to PC hardware shortages and their battles with scalpers. I've been faced with these 'are you human?' gateway pages when visiting places like Scan.co.uk, eBuyer, and so on recently.
Like most people I find CAPTCHAs irksome but while understanding their necessity it is good to hear that new technologies might be on the way, technologies that reduce the friction considerably. The Google 'noCAPTCHA reCAPTCHA' API seems to have faded – probably because Google decided to start charging for its use. But not to worry as Cloudflare is on the case…
On the Cloudflare blog Thibault Meunier boldly writes that "We want to get rid of CAPTCHAs completely". Meunier goes on to reason that "a real human should be able to touch or look at their device to prove they are human, without revealing their identity," and proposes the use of trusted USB keys (like YubiKey) to kick the time-consuming inspection of photos for fire hydrants into the bin of history.
Cloudflare asserts that you will be able to get through one of its 'Cryptographic Attestation of Personhood' tests in five seconds, with at most three clicks. It has tested the process using YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys - and they work on all browsers on all modern platforms (Android users are restricted to Chrome only for now). If you are concerned about privacy, Cloudflare says its system wants to make sure you are human, "but we're not interested in which human you are".
If you have one of the hardware keys mentioned above you can go and try the Cloudflare Challenge. I visited the site on my laptop with built-in fingerprint reader that is good for Windows Hello, but it threw up an error message after requesting I scan my fingerprint (like the exmaple above). Cloudflare says this is normal behaviour for this 'experimental project' as only USB or NFC security keys work today. Importantly, it is looking into "adding other authenticators as soon as possible," which would elevate its experiment from being mildly interesting to very interesting.
