‘Cryptographic Attestation of Personhood’ Could End CAPTCHAs Forever

Everyone hates CAPTCHAs. Those little puzzles we all have to navigate to prove to websites that we’re humans and not robots consume an incredible amount of our time and often feel like they don’t work. Typing words was bad enough, selecting all the street signs or boats in blurry pictures is worse. Cloudflare research engineer Thibault Meunier estimates humanity collectively wastes roughly 500 years every day solving captchas. So the company has devised a system that could end them forever. 

“It takes a user on average 32 seconds to complete a CAPTCHA challenge. There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days,” Meunier said. “This very simple back of the envelope math equates to somewhere in the order of 500 human years wasted every single day—just for us to prove our humanity.”

Cloudflare has designed a system called a Cryptographic Attestation of Personhood. The short version is that users wanting to access a website or service would click a button to claim they’re human and, instead of clicking pictures or typing a word, would insert a physical USB key, like a YubiKey, into their computer and hit the button on it.

While this is still somewhat laborious, it also in theory would help actually prove that you are a human, unlike CAPTCHAs. While CAPTCHAs are supposed to “prove you’re not a robot,” tons of bots can easily break CAPTCHAs.

“Over the years the web moved from simple CAPTCHAs based on text recognition against backgrounds to OCRing old books to identifying objects from pictures,” Meunier said. These changes have made CAPTCHAs much less accessible for people with physical and cognitive impairments, a complete pain in the ass for anyone accessing the site on mobile, and they lean heavily on cultural knowledge of the CAPTCHA’s creator. No one likes to stare at a bank of 9 pictures looking for a cab and wonder if they’re supposed to find NYC cabs, which are yellow, or London cabs, which are black.

It’s not just users who hate CAPTCHAs. “CAPTCHAs are effectively businesses putting friction in front of their users, and as anyone who has managed a high performing online business will tell you, it’s not something you want to do unless you have no choice,” Meunier said.

Cloudfare says that universal 2-factor authentication on certain websites would be a better system. It’s still cumbersome, but it’s better than hunting for hidden motorcycles in pictures of traffic. “The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer,” Meunier said. “The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate.”

Cloudflare has developed an API for this process and released it to GitHub. The system will work with FIDO Alliance keys and it has tested YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys. According to Cloudflare, the system is anonymous, safer, and less cumbersome than CAPTCHAs. You can see how it works at cloudflarechallenge.com.

“We’re excited to bring about the demise of the fire hydrant on the Internet,” Meunier said. “It’s no longer needed.”