Ahead of its Connect conference in October, Cloudflare this week announced an ambitious new project called Turnste, which seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are. Avaable to site owners at no charge, Cloudflare customers or no, Turnste chooses from a rotating suite of “browser challenges” to check that visitors to a webpage aren’t, in fact, bots.
CAPTCHAs, the challenge-response tests most of us have encountered when fling out forms, have been around for decades, and they’ve been relatively successfully at keeping bot traffic at bay. But the rise of cheap labor, bugs in various CAPTCHA flavors and automated solvers have begun to poke holes in the system. Several websites offer human- and AI-backed CAPTCHA-solving services for as low as $0.50 per thousand solved CAPTCHAs, and some researchers claim AI-based attacks can successfully solve CAPTCHAs used by the world’s most popular websites.
Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it — if Cloudflare’s public rallying cries hadn’t made that clear. In a conversation with technewss, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibity (visual disabities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume famiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobe data plans.
“The biggest issue with CAPTCHA is that user experience is terrible. As computers have gotten better at solving them, the user experience has only gotten worse,” Graham-Cumming said in an ema interview.
Cloudflare at one point moved to a service called hCaptcha — to mixed reviews. One frequent challenge asked users to enter their name, say whether they prefer eggplants or carrots and click every one of 27 images showing a train. The blowback — and the fees imposed by some CAPTCHA services — is part of what spurred Cloudflare to develop its own alternative, according to Graham-Cumming.
“We've been working on a solution for several years and blogged a few months back about how we have decreased our own CAPTCHA usage by 91%. Since we've proven it worked for us, we wanted to give everyone the option of getting rid of CAPTCHA,” he added.
Turnste automatically chooses a browser challenge based on “telemetry and client behavior exhibited during a session,” Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who’ve passed a challenge before, Turnste fine-tunes the difficulty of the challenge to the specific request — avoiding having users solve a puzzle.
Secure your spot at TC Sessions: AI and show 1,200+ decision-makers what you've but — without the big spend. Avaable through May 9 or whe tables last.
To deploy Turnste, web admins create a Cloudflare account and obtain the necessary embed code, which they then paste into their website’s code. After adding a server-side call to Cloudflare’s Turnste API, the service goes live. Any site can call the API.
“If you're using an existing CAPTCHA service today, it’s just a find and replace on the code string,” Graham-Cumming said. “It’s compatible with any other network provider … You don’t have to use any other Cloudflare services, like our content deliver network, to use Turnste.”
Cloudflare claims that Turnste is just as secure as CAPTCHA, taking advantage of features like private access tokens to minimize the amount of data that’s collected. Newly implemented in iOS 16 and macOS Ventura, private access tokens work by having a device send anonymized authentication information — tokens — to a compatible website without exposing any sensitive information about itself.
Cloudflare and rival service Fastly were among the first to announce support for private access tokens with Apple hardware.
The question is whether sites wl be persuaded to deploy Turnste over the incumbent CAPTCHA. By one measure, 97.7% of the top mlion websites by traffic use Google's reCAPTCHA, currently the most popular CAPTCHA service on the market. Cloudflare says it’s working on plugins for major platforms like WordPress to make Turnste easier to deploy, but it’ll likely take time to convince admins that it’s worth the effort — assuming they’re ever convinced.
Graham-Cumming seemed mostly indifferent, noting that Cloudflare doesn’t have an obvious business incentive to drive adoption.
“We but an alternative, proved it works well for us and opened it up to other sites about as soon as we possibly could,” he said. “Since we've proven it worked for us, we wanted to give everyone the option of getting rid of CAPTCHA. Helping make the internet better really is our mission. We think giving this away to any website is a way to do that.”
As far as next steps are concerned, Graham-Cumming says that private access tokens are the best indicator for where Cloudflare would like to move in the future. The company tested a USB-based security system in the past, but requiring hardware adds a high degree of friction, he conceded.
“Customers and networks both care more and more about privacy and data segmentation. The abity for us to abstract portions of the validation to other parties without having to collect data ourselves is likely to continue,” Graham-Cumming added. “For example, [people] mention biometric authentication. I think it’s more likely we partner with hardware makers to use private access tokens to do biometric validation for us and pass an encrypted token proving that validation to us rather than doing biometric authentication ourselves.”