Cloudflare is working on an alternative to the famous anti-sbots recognition system. To get rid of captchas, the company wants to link a physical security key to a 'cryptographic personality certificate
In April 2020, Cloudflare announced that it had moved to hCaptcha , an alternative service from Captcha and reCaptcha. At the time, the decision was motivated by Google’s plan to charge for the use of the reCaptcha service. But today, the company wants to go further.
A “Cryptographic Personality Attestation”
On Cloudflare’s blog, engineer Thibault Meunier explains why his group wants to end captchas:
Humanity loses about 500 years a day looking at images and identifying buses or bicycles. This system, which has enabled online services to distinguish between humans and robots since 1997, is wasting our time, disrupting our navigation activities and making us lose productivity.”
To put an end to this «madness» (it is Cloudflare who says it), the company wants to offer Internet users security USB keys linked to a cryptographic certificate. The idea is quite simple: a real human should be able to touch or look at his device to prove that he is human, without revealing his identity,” explains Hibault Meunier. This experimental project of Cloudflare, for the moment limited to the English-speaking regions, would initially work with USB keys compatible with the latest smartphones and computers such as YubiKey, HyperFIDO or Thetis FIDO U2F.
At the same time, the company offers a secure digital certificate based on the WebAuthN API, a system that generated a “cryptographic personality attestation”. The company ensures full compatibility with all sufficiently recent OS.
With this system, the user will be asked to insert his security key on a USB port, or to activate it on his smartphone. This “presence test” will generate a digital signature, and a cryptographic attestation will be sent to the website.
“Proof of zero knowledge”
Cloudflare claims to rely on the so-called zero-knowledge evidence (ZK) technology, which allows users to prove that their manufacturer is one of those the company trusts.
According to the company, no biometric data can be collected through this system, since the WebAuthn API prohibits it. And the benefits are numerous according to Cloudflare, who specifies that this test requires only three clicks, for 5 seconds on average – against 32 to validate a Captcha.