Skip to main content

Turnstile is Cloudflare’s latest attempt to rid the web of CAPTCHAs

Turnstile is Cloudflare’s latest attempt to rid the web of CAPTCHAs

/

If you’re tired of clicking on picture grids to identify traffic lights and bicycles, this approach might help change that

Share this story

On a blue background, there’s a cursor icon in a circle with a circling arrow, another circle with a badge, a big box in the middle showing a prohibited sign and a house window inside it with a sunrise scene in it. then there’s a fingerprint icon and icon with a person’s bust on the right side.
Image: Cloudflare

Cloudflare is testing a new kind of CAPTCHA that tests your browser instead of you. The company calls it Turnstile, and it’s designed to spare us from performing those mundane click-the-traffic-light kinds of tasks to verify you’re a human and not a bot.

Turnstile is being presented as “a user-friendly, privacy preserving alternative” to CAPTCHA. According to a press release, it will get rid of the interactive challenges used to verify people, which Cloudflare says normally take an average of 32 seconds to pass, and reduce the entire process to one second.

An interaction-free test that reduces confirmation time to one second

Instead of presenting a visual puzzle to a user, Turnstile applies one of many browser challenges that it rotates through to look for human behavior, amping up the difficulty if a visitor exhibits “non-human behaviors.” Turnstile uses JavaScript-based challenges that read the web browser environment for signals that indicate there’s a person entering the site, cycling through tests like proof of work, proof of space, and probing for web APIs. It also utilizes machine learning models to compare previously successful challenges with new ones, speeding up the passing process.

This isn’t Cloudflare’s first fist-shake at CAPTCHAs. Last year, the company vowed to “get rid of CAPTCHAs completely” and created a hardware-enabled authenticator that uses physical USB-based keys like YubiKey or FIDO key.

Instead of seeing a puzzle, you’ll just see this banner as it confirms you’re a human.
Instead of seeing a puzzle, you’ll just see this banner as it confirms you’re a human.
Image: Cloudflare

Although hardware keys can work well, they require that users always have access to one. So, the company also made a version that can “ask” a trusted device (smartphone or otherwise) if it’s, in fact, not being operated by a bot.

There have been concerns that trusted devices can be duped, though. According to Ackermann Yuriy, CEO of the consulting firm WebAuthn Works, the method Cloudflare was testing does not confirm if the device is truly human-operated. But in a partnership with Apple, Cloudflare was able to leverage Private Access Tokens as another method to prove a person is truly the one using the device. But this method still relies on hardware, whereas the new Turnstile method could skip that.

Cloudflare’s Turnstile is available now in beta form, is free to use, and you don’t have to use the company’s other web services or send your traffic through its network, either. The process for setting it up is detailed on Cloudflare’s website and involves replacing your current CAPTCHA JavaScript with one that calls for the Turnstile API.