Headline
Cloudflare Takes a Stab at a Captcha That Doesn’t Suck
The internet infrastructure company has an alternative tool to check whether you’re human—and it doesn’t force you to pick out buses in tiny boxes.
There’s a uniquely bitter rage that comes from being asked to click every box that contains a parking meter only to then be told that you missed one because of a tiny sliver of gray that barely floated into the periphery of an otherwise empty, adjacent square. It’s a familiar fury, and one that captchas have been provoking across the web for years, but these maddening tools are important for blocking bots from conducting fraud and other abuse. Google’s reCaptcha, the dominant tool around the world for implementing these checks, came out with a version in 2018 that uses machine learning to silently check humanness behind the scenes and phase out the garbled, blurry strings of letters and grids full of traffic lights. This week, the internet infrastructure company Cloudflare is releasing a competitor.
Like reCaptcha, Cloudflare’s new alternative, dubbed Turnstile, is free, and you don’t have to be a Cloudflare customer to put it on your site. Turnstile is based on a tool called Cloudflare Managed Challenge that the company released for its own services in April. When you do a captcha, you are completing a “challenge” of your humanness. Managed Challenge, on the other hand, runs quick and silent checks of your browser’s technical behavior and other telemetry in an attempt to determine that you are human without asking you to do anything. Only when the tool lacks adequate confidence will it show you a “harder challenge” or a puzzle to solve. And Managed Challenge, which is an enterprise product for Cloudflare customers, is constantly testing different types of puzzles to find the options that are less frustrating for users.
Anyone can now implement Turnstile for free through an application programming interface. You can set it up to only run invisible challenges that don’t appear to the user at all or elect to have the system show a button for users to click as an additional humanness check. Unlike Managed Challenge, Turnstile never shows harder challenges or Captchas.
“If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” says Cloudflare’s chief technology officer, John Graham-Cumming. “Turnstile can do that for the signals your computer sends to the website you’re accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all these details right—there’s usually something ‘off’ about the request.”
Invisible challenges include tests like complex equations that devices are asked to solve. Turnstile has data about how long it takes different devices—say, a Macbook Air or a Samsung Galaxy—to solve the challenge. If a device claims to be a Samsung Galaxy S22, but solves the challenge much more quickly than that device should be able to, it may indicate that the request is really coming from an automated system run out of a data center.
Courtesy of Cloudfare
Captchas are an important security defense across the web, but Cloudflare is billing Turnstile as particularly privacy-protective as well. The tool will look at some browser session data, like browser characteristics and data from website rendering mechanisms, but the service doesn’t check advertising cookies or login cookies. And the company plans to outsource as much data review as possible to minimize how much Cloudflare ever sees. For example, Turnstile will check for Apple’s “Private Access Tokens,” launched this year as a tool for attesting that a user is human and reducing the need for captchas.
Researchers have found in recent years that Google’s reCaptcha checks to see whether a user has a Google login cookie as one of the factors in determining whether they are human. Google denies that reCaptcha data is used for anything other than challenges, but some have pointed out that the data could be used in targeted advertising campaigns.
Cloudflare says that since launching Managed Challenge, it has dramatically reduced the number of captchas it serves.
“Before we introduced Cloudflare Managed Challenge, if we believed a visitor was a bot but our customer wanted us to confirm that, then we would serve a Captcha 100 percent of the time,” Graham-Cumming says. “After introducing Cloudflare Managed Challenge, that number was reduced down to 9 percent. Today, that number is further reduced down to 3 percent.”
The company adds that users previously spent an average of 32 seconds doing captchas on its own sites. Since implementing Managed Challenge, the average wait time is one second because of the new feature’s silent, behind-the-scenes challenges. In the Cloudflare dashboard, the captcha option is now called “Legacy Captcha." The company says that, “this more accurately describes what CAPTCHA is: an outdated tool that we don’t think people should use."
Turnstile is part of a broader industry effort to rework captchas and make them less frustrating for users. But reCaptcha’s ubiquity and familiarity may hinder adoption of new alternatives. As the field shifts, though, it may be ripe for a new player—especially one that doesn’t make you want to chuck your laptop into the sea.
Updated 9-28-2022, 6:20 pm ET: Included additional details about Turnstile and comment from Cloudflare. We also clarified the types of “challenges” Turnstile will present users.