Cloudflare and Apple further challenging the CAPTCHA status quo

Since 2007, with the advent of the iPhone, the smartphone-style device from various vendors has become ubiquitous across all corners of the world. Also, the past two decades have seen web-based digital services grow and diversify exponentially. All this innovation, growth, and evolution has driven identity fraud to the forefront of cyber-security concerns for individuals, governments, and organisations. Challenging whether established cyber-security techniques in this space are still fit to protect and authenticate individuals’ privacy and identity for all daily circumstances.

In recent years Apple has been quietly reshaping the privacy landscape of their eco-system for their customers. In doing so, they have been seeking to address alternative ways of verifying identity from the established methods ranging from password to challenge-response authentication. PAC recently wrote a blog post on how the adoption of passkeys as a replacement for passwords by Apple, Google, and Microsoft is a profound innovation for identity authentication.

On September 29th 2022, Cloudflare, the global content delivery network company, announced Turnstile’s beta release, a software-based alternative to the two-decade-old established challenge-response authentication method CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). Matthew Prince, CEO of Cloudflare, declared the company’s low opinion of CAPTCHA when he said, “Cloudflare is taking one of the most hated pieces of Internet technology and making it easier, more secure, and more private for everyone to use”.

The primary purpose of challenge-response authentication is to ensure that a person makes the interaction, and not a robot, typically through image-based pattern recognition. However, there are many criticisms of CAPTCHA (and the Google variant reCAPTCHA), from accessibility to privacy and hindering the user experience through the additional friction it adds to digital interactions. Cloudflare’s Turnstile instead looks to determine there is a human user through a rotating range of browser and API challenges invisible to both a robot and human without the need for a CAPTCHA-style authentication challenge. The Turnstile technology also refines challenge-response interactions by increasing the challenge’s difficulty for those exhibiting non-human behaviour patterns. Cloudflare has released Turnstile as a free API-driven product that does not require using their network or any of their other products to replace a CAPTCHA authentication.

In a statement released by Cloudflare on August 6th 2022, they announced an extension of the open-source privacy pass protocol through support for a new cryptographic token called a private access token (PAT) that it has been working on with Apple, Google, and other industry leaders. Cloudflare has incorporated this into its managed challenge platform. The PAT technology has been created to determine if a human is using a device without the person being overtly aware. The technology works for browsers and APIs called by a browser or within an application.

As well as introducing Passkeys in macOS, iOS, and iPadOS this year, Apple has also introduced its version of PAT technology called automatic verification. The combination of the Cloudflare network, Cloudflare Turnstile beta, and the adoption of PAT technology by Apple allows for Cloudflare to recognise users of macOS Monterey and iOS/iPadOS 16 and authenticate a person’s device invisibly to them, unlike the CAPTCHA method. Cloudflare claims that Turnstile already has the same stable resolve rate as CAPTCHA. Their use of Turnstile has reduced their use of CAPTCHA by 91% and reduced the average time spent for challenge-response authentication from thirty-two seconds to one second.

This use case shows that with the support of device vendors and network providers, like Cloudflare, using a non-intrusive means of challenge-response authentication that maintains a person’s privacy is feasible, capable, and scalable. PAC expects to see, akin to passkeys, this approach to challenge-response authentication proliferate across devices and networks in the coming years. Providing a better user experience and improved privacy and security for all involved.