CAPTCHAs May Soon Go Extinct

CAPTCHAs May Soon Go Extinct

Are you a human? It’s an age-old question made more pressing by the ability for millions of computers to shut down websites or snipe auctions out from under regular, non-robotic buyers. What’s more, proving you’re a human reduces spam, abuse, and even theft.

But the way we currently tell if someone is human online — the CAPTCHA — is, according to Internet backbone provider Cloudflare, costing us collectively 500 years per day.

The CAPTCHA, which stands for “Completely Automated Public Turing tests to tell Computers and Humans Apart,” first appeared in 1997 and has proliferated across the Internet, slowly morphing into the “Find the bicycle” challenges that we face today. Cloudflare, who obviously has money riding on anything that makes it easier to sift robot attackers from humans, is proposing a new service that uses hardware keys to confirm your existence.

But here’s the rub: those hardware keys aren’t very user-friendly. The most popular model, the Yubikey, is a little dongle that connects to your computer and sends a special code when you touch a conductive surface. In this case, the USB key is literally an object you stick into your machine to unlock certain websites and, because you have to interact with it physically, Cloudflare assumes that you’re a human being with fingers. These keys could also pass minimal identifying information onto the website in question but most key manufacturers claim no data changes hands.

That said, Cloudflare’s announcement is a bit more interesting because the company proposed that we not just use USB keys but instead use the tools built into our phones and computers.

“We want to get rid of CAPTCHAs completely. The idea is rather simple: a real human should be able to touch or look at their device to prove they are human, without revealing their identity,” it wrote in a blog post. “We want you to be able to prove that you are human without revealing which human you are! You may ask if this is even possible? And the answer is: Yes! We’re starting with trusted USB keys that have been around for a while, but increasingly phones and computers come equipped with this ability by default.”

And Cloudflare is right about CAPTCHA: it’s awful. We waste precious seconds tapping through modern implementations and some of the requests border on the impossible Further, Cloudflare also notes that things like cultural knowledge are necessary to understand CAPTCHAs.

“The people on the planet who have seen a US fire hydrant are in the minority, as are the number who speak English. Cabs are yellow in New York City, and black in London — heck, ‘cabs’ are only cabs in a few places, and ‘taxis’ everywhere else!”

Unfortunately, these keys and high-end phones cost real money. Yubikeys start at $US55 ($71) and go up to $US70 ($90) for more complex versions and even open-source versions cost about $US40 ($51). A high-end iPhone or Android device with enough smarts to manage the tricks Cloudflare is proposing will cost hundreds if not thousands. While not everyone knows what a fire hydrant is, nearly as many people probably can’t afford to access these new features.

How it Works

I tested the new feature with my USB-C Yubikey that is crowded onto the back of my Mac Mini like a flattened tick. Tapping the metal button on the device got me right past Cloudflare’s testing page in an instant which was, to be clear, far better than picking out the crosswalks in a bunch of grainy pictures. Being sure everyone has access to these tools, however, is a bit harder.

What’s Cloudflare’s real goal? To help e-commerce speed up checkout times.

“CAPTCHAs are effectively businesses putting friction in front of their users, and as anyone who has managed a high performing online business will tell you, it’s not something you want to do unless you have no choice,” wrote Cloudflare. Clearly, then, the goal is to make it easier for a swathe of the Internet to access content while leaving the rest of the world to try to pass a Turing test it never asked for.