Internet Security Blog - Hackology
Cloudflare to end CAPTCHA

Cloudflare to end CAPTCHAs but at what Cost ?

Cloudflare started an experiment to end the use of CAPTCHAs for identifying the difference between humans and bots.

Everyone who uses the internet has encountered the CAPTCHAs at least once or twice. They are annoying and hated by most of us. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) was first developed in 1997 to identify if a user is a bot or human. Eventually, CAPTCHAs were being used as a source of digitalization of out of print books, street names and other AI projects along with identification of humans.

The most widely used CAPTACHA (ReCAPTHCA by Google) identifies humans along with digitalization of traffic signals, buses, cabs, fire extinguishers etc. As you might have seen, ‘I’m not a bot’; select all the boxes with traffic lights in them. How many boxes have bicycles in them? Etc.


These questions, just to prove that we are not bots, are rather insufferable. However, the good news for most of us is that the new Cloudflare’s security system doesn’t require us to prove anymore that we are humans.

According to Cloudflare,

Based on our data, it takes a user on average 32 seconds to complete a CAPTCHA challenge. There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days.


According to the above assumption which is quite possible, 500 years are wasted on CAPTCHAs each day.

Why is it a good idea to get rid of CAPTCHAs?

It is not just the fact that we don’t like the CAPTCHAs. But, there are deeper reasons behind the fact that they should be eliminated.

  • A lot of time is lost. Especially when you are running low on time and have to verify your ‘human-ness to the internet, it not only makes you late for your project but also frustrates you.
  • There are many kinds of users on the internet, and some are visually and physically impaired. It is almost impossible for them to solve the CAPTCHAs. This means that those challenges are not user-friendly and not easily accessible to every internet user.
  • The CAPTCHAs ask questions that are not always culturally appropriate. For example, the cabs are yellow in America but black in England. Some places call them cabs, but others call them taxis. Cultural appropriation makes these questions hard to answer for most users who have not seen certain things in their lives.

Cloudflare to bring in new security system

The company eliminating the CAPTCHAs is also famous for protecting websites that encounter the error of ‘distributed denial of service’ (DDoS). With this new security system, the users will be able to successfully log in to the websites by using their USB security key.

But, Cloudflare eliminating the CAPTCHAs is not the only thing that is happening. Because it is bringing in a new security system called ‘Cryptographic Attestation of Personhood’ or ‘CAP’ and it is as complicated as it sounds.

This new security software will use physical USB keys for security. So, when you want to register, you have to insert it. This action is done when the USB is paired with your computer when the security software is running. This will verify that you are a human being.

The software is currently in beta phase. And if your computer has a USB key, then you can test the software on the official website of Cloudflare. On the website, you will easily find the button ‘I am human.’ Once you click on it, the server will take you to the plug-in device.

Cryptographic Attestation of Personhood

USB Security Yubikey
Yubico USB Security Key

If we talk about comparing both the old CAPTCHA and CAP, then we can say that the new software Cryptographic Attestation of Personhood is more accessible. But, it is also complex. Let us tell you how it works.

How Cloudflare’s CAP Work

CAP turns a person’s surfing on the internet into two-factor authentication, which is a nightmare for everyone. This means that instead of looking for trucks and fire hydrants in the boxes, we now have to look for the USB, plug it in the port that works.

This also has its challenges. The first challenge arises when you mistakenly mix another device with the USB. And the second challenge arises for those who do not have USB ports on their devices like the MacBook Pros.

Since the software is in the test phase, it is not yet supported by most hardware at the moment. The module of this system is proficient enough that it can prove to keep a secret without revealing it. This is because Cloudflare asks for proof from the user that their manufacturer is legit.

This new security system ‘CAP’ is heavily dependent on the WebAuthn attestation. This is an API program that is standardized on the World Wide Web Consortium (W3C). It is applied to most modern web browsers and OS. Its main aim is to provide its genuine and authentic users with a standardized interface for web browsing to the capabilities of their devices. The security system will later work on Windows, Ubuntu, Chrome, MacOS, iOS 14.5, etc.

Beta Version of CAP

The Cloudflare Company has set up a website to try their beta version of the system to give you a quick idea of what CAP is and how it works, there are six simple steps to use Cryptographic Attestation of Personhood.

Cryptographic attestation of personhood cloudflare challenge
  • Any internet user can access any website, and to verify that they are human, they will soon have to go through Cryptographic Attestation of Personhood. An example of such a website is
  • Instead of CAPTCHAs, Cloudflare will now serve a different kind of challenge.
  • The users now have to click on the option ‘I am human’ and then be asked to prompt a security device.
  • Users must then select a hardware security key to insert in the USB port.
  • As soon as the user plugs the device into the port, a cryptographic attestation is delivered to Cloudflare.
  • This, in turn, verifies the user. And then, the user can use the website they desire without any issues.

Completing this brief test takes only 5-7 minutes. But, the important thing about this system is that it protects the personal data and privacy of the users (since the attestation is not linked to any other user device. There are only three clicks (maximum) used to complete this test.

All the manufacturers of electronic devices are trusted by Cloudflare and are a part of the FIDO Alliance. So, each key produced by a manufacturer has an identifier with the other keys manufactured by different manufacturers.

CAP Introduces New Risks

As systems evolve, bad players also find workarounds. We may not see CAPTCHA disappearing anytime soon even if CAP is launched. The biggest flaw CAP has is in the design, if it needs a paired USB what is stopping someone who runs “bots” to connect the USB for good and let his post do all the automation. The reason of CAPTCHA was to disallow automated processing of certain tasks thus killing bots and their tasks. Cloudflare may have thought of this issue and might come up with an explanation on how they will fix this. Although User Presence Test is part of the integration but as with CAPTCHAs it may not be perfect in it’s implementation at the moment, due to varying platforms and cross platform compatibility.


There is no doubt that Cloudflare is trying to build a better internet that is accessible to most of the users on the internet.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem

Discover more from Internet Security Blog - Hackology

Subscribe now to keep reading and get access to the full archive.

Continue reading