Cloudflare is testing a new kind of CAPTCHA that tests your browser instead of you. The company calls it Turnstile, and it’s designed to spare us from performing those mundane click-the-traffic-light kinds of tasks to verify you’re a human and not a bot.
Turnstile is being presented as “a user-friendly, privacy preserving alternative” to CAPTCHA. According to a press release, it will get rid of the interactive challenges used to verify people, which Cloudflare says normally take an average of 32 seconds to pass, and reduce the entire process to one second.
An interaction-free test that reduces confirmation time to one second
This isn’t Cloudflare’s first fist-shake at CAPTCHAs. Last year, the company vowed to “get rid of CAPTCHAs completely” and created a hardware-enabled authenticator that uses physical USB-based keys like YubiKey or FIDO key.
Although hardware keys can work well, they require that users always have access to one. So, the company also made a version that can “ask” a trusted device (smartphone or otherwise) if it’s, in fact, not being operated by a bot.
There have been concerns that trusted devices can be duped, though. According to Ackermann Yuriy, CEO of the consulting firm WebAuthn Works, the method Cloudflare was testing does not confirm if the device is truly human-operated. But in a partnership with Apple, Cloudflare was able to leverage Private Access Tokens as another method to prove a person is truly the one using the device. But this method still relies on hardware, whereas the new Turnstile method could skip that.